I've had difficulty finding a better forum in which to ask this. And since it involves AD Security Groups I thought I could get away with it.
We're in the process of migrating to a new file server. Our shared drive has a basic structure of: Shared\Department\Sub-Department\<one public folder & one private folder> Our original thought was to have one Read and one Read/Write group for each public and private folder. Those groups would then be populated by role based groups (department groups, position groups (ex all management)). I've written a script that you can point to a directory structure and it creates the appropriate groups and assigns the security permissions. However I end up creating a lot of groups. Just in ITS (for example) we have 15 sub-departments so that will produce 60 groups right there. On the other hand everything is very structured and in theory you can mange file security permissions from within AD. Since everything is scripted you never need to go and look at folder permissions (except for the file server admin guys when troubleshooting). I'm also concerned that users will end up being in groups that are nested in a substantial number of groups. For instance most of the public-read groups for ITS will contain the group "ITS - All Staff". That means any given ITS employee will have 30 security group tokens just from this. Any thoughts or opinions? Steve Evans List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx