In an effort to
improve file server security and group management as a whole I find myself
curious about what other folks do in similar situations.
The environment: 1
File Server, 1 Win2k3 Forest, 3 domains, Exchange 2k
Current config: A
bunch of global security groups that are pretty much useless and many, many
Universal Distribution Lists. How are permissions assigned to our shares
you ask? Domain Users - Full Control, except in those instances where
someone said, "hey, that's private, make me a group and remove everyone else's
permissions!"
So my current
thought is the following:
- Create Domain
Local groups on a "per share/per perm" basis, i.e.: sales-share_FC, for the
share called "Sales Share" and the access of Full Control, and give that group
the proper perms on the share. Those groups would be populated with either
users or mail-enabled Universal Security Groups (all UDGs would need to be
converted to USGs). The result: The ACLs on all shares will only ever have
groups, not users.
- All mail-enabled
groups will be mail-enabled Universal Security Groups
- Global groups will
be used if (1.) there's no need for this group to contain users from other
domains, or (2.) this group must be given access to resources in another
domain.
I have the feeling
I'm missing something.... If anyone sees something ridiculously wrong with
this setup please let me know.
TIA
-Alex
