Server 2003 and 2008 Groups within Groups

in Off-Topic
Hi all, looking for some real world experience on best practises i guess..
Sorting file permissions out, if 5 departments all with 10+ users need access to a said folder. do you
a: create a new group and add all 50+ individual users.
b: create a new group add each department group into this group
I would say that B is by far the simplist and easist to maintain, but we are getting problems doing it with a lot of random things kicking off because of it. Is it a nono?
Thanks for any input.
S
Sorting file permissions out, if 5 departments all with 10+ users need access to a said folder. do you
a: create a new group and add all 50+ individual users.
b: create a new group add each department group into this group
I would say that B is by far the simplist and easist to maintain, but we are getting problems doing it with a lot of random things kicking off because of it. Is it a nono?
Thanks for any input.
S
Comments
At my company, many of our folders are shared across departments so the departmental "global group" inside of the folder "local group" doesn't work for us.
Here are a couple of other things that I enforce with my folders and security groups -
- All of my NTFS security is defined at the top level of a folder on a shared drive. I don't go several layers deep and add/remove security to folders and files. If they have things in a folder that need to either be secured further or opened up to other people, they get a separate top level folder. Makes it easier for lower level admins (to whom I do not grant permissions to modify security on folders) to give the correct access to folders - they can just go to Active Directory and add the person to the correct group. Makes it easier for me to not have to chase after security that is not set up correctly 7 layers down.
- At the root of the shared drive, no one other than Administrators is allowed to create files and folders. They have to use the folder structure that is already defined or request new folders to be set up.
- Every folder actually gets two groups applied to the ACL - one for read-only permission and one for Read/Write/Modify permission, whether the user requests it to be set up that way or not. I get requests to give someone read-only after the fact at a rate of about 30%. So I just keep it consistent and create groups for both.
- NO ONE gets full control except for Administrators.
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
Thanks for the reply. Lot of good sensible ideas there
For user access to folders do you use mapped drives or point everyone to one folder then use something like access-based enumeration? i asked this question recently and it seems most people don't use mapped drives (which how we do it and its a mess to say the least)
Thanks for the reply
S
I'm simplifying our configuration a little bit but this is the approach I like to take.
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...