That's the best way to do it - the old classic AGLP model - but at the moment I don't have time to maintain the local groups on the member servers, unfortunately. More staff required :-(
The best thing about the "one-group" model I find is that I can see all of a user's privileges just by looking at the "Member Of" tab in ADUC. I can see their drive mappings, internet access level, deployed applications, available printers, Citrix apps, DL memberships and lots of other stuff without having to dig at all. 2009/10/13 Charlie Kaiser <[email protected]> > At my last gig with lots of file servers/shares/groups my redesign > incorporated two local groups; one full, one RO that had rights to the > resource. All the AD groups went into those local groups as needed. Never > had to re-acl the resource that way... > We had three structures for groups; one was location-based, the other was > departmental, the third was role-based. That worked out nicely for us and > facilitated cross-location and/or cross functional teams. > Our philosophy was that any complexity or difficulty of management should > be > borne by IT and make it easier for the business units to function > seamlessly. So if we had almost as many groups as users it was OK because > it > allowed the business to function well and after all, it was IT's job to > facilitate business. After a merger we had a royal battle because the big > fish company didn't like lots of groups. No good reason, just didn't like > having lots of groups. Idiots. Brought business to a crawl for a while. > When > the business was spun off again, we went back to our old model and things > smoothed out. > > *********************** > Charlie Kaiser > [email protected] > Kingman, AZ > *********************** > > > -----Original Message----- > > From: David Lum [mailto:[email protected]] > > Sent: Tuesday, October 13, 2009 5:49 AM > > To: NT System Admin Issues > > Subject: Sanity check - AD groups > > > > I am going through file/folder permissions and our security > > groups in AD - I imagine some of you guys have hundreds of > > security groups? For a given share I have a security group > > associated (with RWXD perms) with it, and if some folks need > > read-only I create another group. I also have groups for each > > department and they become members of whatever security group > > is associated with access to whatever shares they need. I do > > the same for non-shared folders that also need specific permissions. > > > > David Lum // SYSTEMS ENGINEER > > NORTHWEST EVALUATION ASSOCIATION > > (Desk) 971.222.1025 // (Cell) 503.267.9764 > > > > > > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." http://raythestray.blogspot.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
