|
That’s what I get for reading my inbox “up”… David: do read my
treatise in my earlier email. But Matt Hargraves response did raise the one technical issue
I only alluded to: token size. He’s right to raise a ‘flag’ about Exchange. Depending on the complexity of your role-based design and
whether you use Exchange (2003 or 2000; 2007 seems to be exempt from this
issue) and your Exchange architecture, you do have to watch for the number
of total groups a user belongs to. A large number of group memberships will
reduce the effective ‘maximum users per exchange server’ level somewhat… but
whether that ‘somewhat’ would be salient depends on several factors. To “tie together” what Matt discussed and what I proposed, my
discussion lays out a design that integrates both RBS and ABS. You definitely
want role-based management. Whether you also go to the level I outlined of
managing ACLs depends on your environment: more resources; more complex
security; and more ‘spread out’ resources and you’ll be better served by the
design I described. In a simpler environment (e.g. “we have a departmental
share with each department having a subfolder” on the extreme side), you don’t
necessarily need the ABS layer. Dan From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Wyatt, David I'd
be interested to hear peoples strategy for permissioning windows based file
servers when the server is in a Windows 2003 domain. I have read the best
practices about putting users into global groups then put the global groups
into local groups then permission the resource with the local group. But: 1.
Is it better practice to put the domain local group into a local group on
the file server and then use this local group to permission the
share/folder? Is this excessive? I have read something about
performance or avoiding limits by using the server local group when the access
token is created. 2.
What shortcomings would there be in putting users into global groups then
simply permissioning the global group onto the resource. We only have a
single forest/domain. I
am also aware of Universal groups but lets put these to one side.....for the
moment..;-) Thanks David ****************************************************************************
This message contains confidential
information and is intended only for the individual or entity named. If you
are not the named addressee you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete this e-mail
from your system. E-mail transmission cannot be guaranteed to
be secure or error-free as information could be intercepted,
corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The
sender therefore does not accept liability for any errors or omissions
in the contents of this message which arise as a result of e-mail
transmission. If verification is required please request a
hard-copy version. This message is provided for informational
purposes and should not be construed as an invitation or offer to buy
or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions
as required. ****************************************************************************
|
Title: Message
- RE: [ActiveDir] Domain Local Groups vs Global Groups Dan Holme
- RE: [ActiveDir] Domain Local Groups vs Global Groups Dan Holme
- Re: [ActiveDir] Domain Local Groups vs Global Grou... Matt Hargraves
- RE: [ActiveDir] Domain Local Groups vs Global Groups Wyatt, David
