I never ever use user objects added directly to ACLs. It just creates a royal pain in the ass. If you've ever worked as an outsourcer and taken over an IT infrastructure where everything is added to the ACLs in this way, you will know just how awful it can be. Aside from the fact that when user objects are deleted you end up with sh*tloads of SIDs sitting on your ACLs and can't tidy them up easily
I keep my groups as simple as possible and try and have one function per group to maintain an easy visibility of all a user's permissions just from their group memberships. One group to allow web access, one for each different resource access, one to deploy a printer, one to deploy an application, etc. I think nesting just adds an extra level of complexity....YMMV 2009/4/1 Stephen Wimberly <[email protected]> > I have two file servers, each Windows 2003 R2, and use DFS replication to > keep the DFS shares in sync... I have a Windows Server 2003 R2 domain in a > single domain forest. if that matters. > > I have always shared folders to a group and maintained the members of those > groups to allow specific access. I have considered this best practice. I > now have two coworkers that insist on adding user objects rather than > security groups directly to the file shares as well as specific folders > under the file share. > > Other than a maintenance nightmare, is there really any reason for using > security groups over user objects? Does it create more CPU overhead for > example? > > Thanks in Advance! > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
