Title: Message

That’s what I get for reading my inbox “up”…  David: do read my treatise in my earlier email.

 

But Matt Hargraves response did raise the one technical issue I only alluded to: token size.   He’s right to raise a ‘flag’ about Exchange.

 

Depending on the complexity of your role-based design and whether you use Exchange (2003 or 2000; 2007 seems to be exempt from this issue) and your Exchange architecture, you do have to watch for the number of total groups a user belongs to.  A large number of group memberships will reduce the effective ‘maximum users per exchange server’ level somewhat… but whether that ‘somewhat’ would be salient depends on several factors.

 

To “tie together” what Matt discussed and what I proposed, my discussion lays out a design that integrates both RBS and ABS.  You definitely want role-based management. Whether you also go to the level I outlined of managing ACLs depends on your environment: more resources; more complex security; and more ‘spread out’ resources and you’ll be better served by the design I described.  In a simpler environment (e.g. “we have a departmental share with each department having a subfolder” on the extreme side), you don’t necessarily need the ABS layer.

 

Dan

 

 

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
Sent: Wednesday, July 26, 2006 8:28 AM
To: [email protected]
Subject: [ActiveDir] Domain Local Groups vs Global Groups

 

I'd be interested to hear peoples strategy for permissioning windows based file servers when the server is in a Windows 2003 domain.  I have read the best practices about putting users into global groups then put the global groups into local groups then permission the resource with the local group.  But:

 

1.  Is it better practice to put the domain local group into a local group on the file server and then use this local group to permission the share/folder?  Is this excessive?  I have read something about performance or avoiding limits by using the server local group when the access token is created.

 

2.  What shortcomings would there be in putting users into global groups then simply permissioning the global group onto the resource.  We only have a single forest/domain.

 

I am also aware of Universal groups but lets put these to one side.....for the moment..;-)

 

 

Thanks

David

****************************************************************************

This message contains confidential information and is intended only

for the individual or entity named. If you are not the named addressee

you should not disseminate, distribute or copy this e-mail.

Please notify the sender immediately by e-mail if you have received

this e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free

as information could be intercepted, corrupted, lost, destroyed, arrive

late or incomplete, or contain viruses. The sender therefore does not

accept liability for any errors or omissions in the contents of this

message which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

This message is provided for informational purposes and should not

be construed as an invitation or offer to buy or sell any securities or

related financial instruments.

GAM operates in many jurisdictions and is

regulated or licensed in those jurisdictions as required.

****************************************************************************

Reply via email to