One example could be that certain groups are always assumed to be domain
local, whilst others global. Universal left only for special admin
privs and noted in the comment field.
My example is an assumed empty root domain fashion, with resources as a
child or trust:
For Domain Local, one could use them solely for file system access.
Win2k group permissions or printer permissions would be fashioned
explicitly on the respective objects. E.g. for a group:
servername_share_x would be permissioned DIRECTLY on the file system and
the share would remain 'everyone, Change Access' - it is not recommended
to use 'everyone, Full' (due to flaws in NTFS).
servername = obvious
share = specifically the name of a share
x = nothing in this area IF the object is change since it tends
to be redundant and usually the most requested - in otherwords, always
assumed change unless otherwise noted. Unique differences, however,
would be flagged: R - read only, L - List, etc.
servername_developers
servername_training_R
servername_HR_R
servername_HR
In the last example, the permissioning would be obvious, some people who
need read only access to HR's share would be different than those
needing change access. Full control should NEVER be granted to users
and reserve that to the admin function of the server. This is listed in
the next paragraph.
For Global Groups, this would be best for Domain or OU Administration OR
team group access which may contain a multiple set of domain local
permissions. Some simple three letter identifier would be best:
Adm_microsoft_userpswdreset (Delegated to Password Resets for
the Microsoft Domain)
Adm_fileservers (Full Admin Control to just File Servers)
Adm_specificfileserver (Full Admin to a specific server)
Org_Developers (DLG like servername_developer,
servername_training_R would contain this, users would be added to this
group)
Org_AutomotivePartsDivision
WWW_WebsiteAccess(specific web name)
The nice thing with keeping such a convention that if another domain
needs access to this environment which may just have a trust from a new
company, division that is not a branch of the forest or simply an NT 4.0
domain. This convention can grant access via global groups being placed
in the local group access through the standard NT 4 conventions. If you
are in the same forest, then you can simply be added to the domain local
group itself.
The three letter code for global identifier would be an obvious benefit
when administating the domain. Since searches or group additives would
"ignore" OU conventions, this would benefit mistakes from adding someone
to a group wide access vs an administrative access. Local groups would
show the file servers listed in alphabetical order. Use your
imagination for other three letter conventions.
Just my two pennies.
-Jon
-----Original Message-----
From: David Adner [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 07, 2003 9:43 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] What's your group naming convention?
We're looking to establish a naming standard for local and global groups
and I'm interested in any thoughts, suggestions, examples, etc.
--
David
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
Visit our website at http://www.ubswarburg.com
This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore
does not accept liability for any errors or omissions in the contents
of this message which arise as a result of e-mail transmission. If
verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities or
related financial instruments.
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
