At my last gig with lots of file servers/shares/groups my redesign incorporated two local groups; one full, one RO that had rights to the resource. All the AD groups went into those local groups as needed. Never had to re-acl the resource that way... We had three structures for groups; one was location-based, the other was departmental, the third was role-based. That worked out nicely for us and facilitated cross-location and/or cross functional teams. Our philosophy was that any complexity or difficulty of management should be borne by IT and make it easier for the business units to function seamlessly. So if we had almost as many groups as users it was OK because it allowed the business to function well and after all, it was IT's job to facilitate business. After a merger we had a royal battle because the big fish company didn't like lots of groups. No good reason, just didn't like having lots of groups. Idiots. Brought business to a crawl for a while. When the business was spun off again, we went back to our old model and things smoothed out.
*********************** Charlie Kaiser [email protected] Kingman, AZ *********************** > -----Original Message----- > From: David Lum [mailto:[email protected]] > Sent: Tuesday, October 13, 2009 5:49 AM > To: NT System Admin Issues > Subject: Sanity check - AD groups > > I am going through file/folder permissions and our security > groups in AD - I imagine some of you guys have hundreds of > security groups? For a given share I have a security group > associated (with RWXD perms) with it, and if some folks need > read-only I create another group. I also have groups for each > department and they become members of whatever security group > is associated with access to whatever shares they need. I do > the same for non-shared folders that also need specific permissions. > > David Lum // SYSTEMS ENGINEER > NORTHWEST EVALUATION ASSOCIATION > (Desk) 971.222.1025 // (Cell) 503.267.9764 > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
