I agree with you - use groups. Your security token is built when you log on to a workstation and once each 10 hours after that (with a bit of randomness thrown in - I'm sure Ken can tell us how Kerberos does that - I don't keep up with those details). :-)
That includes the groups of which you are a member (their SIDs) and your account SID. Using groups allows you to actually reduce the processing overhead by reducing the number of SIDs which must be compared to determine whether a particular process/user/etc. can gain access. Regards, Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP My blog: http://TheEssentialExchange.com/blogs/michael Monitoring Exchange w/OpsMgr now available http://snurl.com/45ppf ________________________________ From: Stephen Wimberly [[email protected]] Sent: Wednesday, April 01, 2009 7:32 AM To: NT System Admin Issues Subject: File Server Security; Best Practice. I have two file servers, each Windows 2003 R2, and use DFS replication to keep the DFS shares in sync... I have a Windows Server 2003 R2 domain in a single domain forest. if that matters. I have always shared folders to a group and maintained the members of those groups to allow specific access. I have considered this best practice. I now have two coworkers that insist on adding user objects rather than security groups directly to the file shares as well as specific folders under the file share. Other than a maintenance nightmare, is there really any reason for using security groups over user objects? Does it create more CPU overhead for example? Thanks in Advance! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
