Also suppose someone says John needs to take over the job of Carl as Carl is leaving.
If you use groups, look at the groups of Carl, add John to the same groups, done. If you don't use groups big PITA finding out which permissions Carl has and then replacing those with John. René From: Stephen Wimberly [mailto:[email protected]] Sent: Wednesday, April 01, 2009 3:12 PM To: NT System Admin Issues Subject: Re: File Server Security; Best Practice. This sounds like what I needed, I'm like you, I don't keep up with the small stuff and keep things as simple as possible. Here it sounds like it's not only wasted CPU, but it stores more in RAM (more SIDs). On a server that is already experiencing some resource issues, we need to cut corners everywhere we can! That on top of the other reply, which results in the horrid SID issue when a user object is deleted, which is the more obvious problem but can easily be dismissed in circumstances where there is little turnover. Thanks again! On Wed, Apr 1, 2009 at 8:50 AM, Michael B. Smith <[email protected]> wrote: I agree with you - use groups. Your security token is built when you log on to a workstation and once each 10 hours after that (with a bit of randomness thrown in - I'm sure Ken can tell us how Kerberos does that - I don't keep up with those details). :-) That includes the groups of which you are a member (their SIDs) and your account SID. Using groups allows you to actually reduce the processing overhead by reducing the number of SIDs which must be compared to determine whether a particular process/user/etc. can gain access. Regards, Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP My blog: http://TheEssentialExchange.com/blogs/michael Monitoring Exchange w/OpsMgr now available http://snurl.com/45ppf ________________________________ From: Stephen Wimberly [[email protected]] Sent: Wednesday, April 01, 2009 7:32 AM To: NT System Admin Issues Subject: File Server Security; Best Practice. I have two file servers, each Windows 2003 R2, and use DFS replication to keep the DFS shares in sync... I have a Windows Server 2003 R2 domain in a single domain forest. if that matters. I have always shared folders to a group and maintained the members of those groups to allow specific access. I have considered this best practice. I now have two coworkers that insist on adding user objects rather than security groups directly to the file shares as well as specific folders under the file share. Other than a maintenance nightmare, is there really any reason for using security groups over user objects? Does it create more CPU overhead for example? Thanks in Advance! *** The information in this e-mail is confidential and intended solely for the individual or entity to whom it is addressed. If you have received this e-mail in error please notify the sender by return e-mail delete this e-mail and refrain from any disclosure or action based on the information. *** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
