Amen on the self-documenting names! My ACL group names follow whatever they have access to : SERVER1-SHARE7, etc. That way if I have a department group and I look at its "member of" tab I can see exactly where they have access to. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Erik Goldoff [mailto:[email protected]] Sent: Tuesday, October 13, 2009 6:28 AM To: NT System Admin Issues Subject: Re: Sanity check - AD groups
agreed with most replies ... as long as you don't create too many individual groups ( so many as to be insane to manage ) I think you're always better off with discreet, granular groups ( ideally with self documenting names too ) so as not to over-permit beyond what is needed ... back to the principle of 'least privledged' On Tue, Oct 13, 2009 at 8:48 AM, David Lum <[email protected]<mailto:[email protected]>> wrote: I am going through file/folder permissions and our security groups in AD - I imagine some of you guys have hundreds of security groups? For a given share I have a security group associated (with RWXD perms) with it, and if some folks need read-only I create another group. I also have groups for each department and they become members of whatever security group is associated with access to whatever shares they need. I do the same for non-shared folders that also need specific permissions. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
