Server 2003 and 2008 Groups within Groups

staggerlee

Hi all, looking for some real world experience on best practises i guess..

Sorting file permissions out, if 5 departments all with 10+ users need access to a said folder. do you

a: create a new group and add all 50+ individual users.

b: create a new group add each department group into this group


I would say that B is by far the simplist and easist to maintain, but we are getting problems doing it with a lot of random things kicking off because of it. Is it a nono?

Thanks for any input.

S

blargoe

My thoughts on this are that either solution is perfectly fine; but on the whole be sure that the way you implement this is standard across the board. Meaning if you're going to do it by adding the individual users to the group, do it that way on the rest of your folder groups... be consistent.

At my company, many of our folders are shared across departments so the departmental "global group" inside of the folder "local group" doesn't work for us.

Here are a couple of other things that I enforce with my folders and security groups -

- All of my NTFS security is defined at the top level of a folder on a shared drive. I don't go several layers deep and add/remove security to folders and files. If they have things in a folder that need to either be secured further or opened up to other people, they get a separate top level folder. Makes it easier for lower level admins (to whom I do not grant permissions to modify security on folders) to give the correct access to folders - they can just go to Active Directory and add the person to the correct group. Makes it easier for me to not have to chase after security that is not set up correctly 7 layers down.

- At the root of the shared drive, no one other than Administrators is allowed to create files and folders. They have to use the folder structure that is already defined or request new folders to be set up.

- Every folder actually gets two groups applied to the ACL - one for read-only permission and one for Read/Write/Modify permission, whether the user requests it to be set up that way or not. I get requests to give someone read-only after the fact at a rate of about 30%. So I just keep it consistent and create groups for both.

- NO ONE gets full control except for Administrators.

staggerlee

Hi blargoe,

Thanks for the reply. Lot of good sensible ideas there

For user access to folders do you use mapped drives or point everyone to one folder then use something like access-based enumeration? i asked this question recently and it seems most people don't use mapped drives (which how we do it and its a mess to say the least)

Thanks for the reply

S

blargoe

Currently I'm using mapped drives, but I just have three drives, one for our Sales and Marketing organization, one for our Distribution Center, and one for the the rest of the the staff. Everyone gets mapped to every drive (which makes login scripting much easier), but Access Based Enumeration is used to hide the folders that they don't need to see on each drive.

I'm simplifying our configuration a little bit but this is the approach I like to take.

Devilsbane

Option B does seem like a better practice, but both will do it for you. Just me consistent to avoid future headaches.