Going global role-based group and local task-based group is pretty standard in larger environments.
You create the global group to hold users and the local group to hold users. The purpose for this is so that you can nest multiple role-based groups into your task-based group and quickly modify the task-based group and have it apply across the share/resource.
The only problem with this model is being careful how you quantify when a new task-based group is needed. Be careful not to create a new task-based group (and similarly named role-based group for that task-based group) for everything under the sun or you'll find your users quickly becoming members through nesting of 100+ groups and finding your Exchange servers running out of paged pool memory space.
There are plenty of articles on Microsoft's site about Exchange and paged pool memory, you can also look at the Exchange Team Blog site (msexchangeteam.com I think).
I'd be interested to hear peoples strategy for permissioning windows based file servers when the server is in a Windows 2003 domain. I have read the best practices about putting users into global groups then put the global groups into local groups then permission the resource with the local group. But:1. Is it better practice to put the domain local group into a local group on the file server and then use this local group to permission the share/folder? Is this excessive? I have read something about performance or avoiding limits by using the server local group when the access token is created.2. What shortcomings would there be in putting users into global groups then simply permissioning the global group onto the resource. We only have a single forest/domain.I am also aware of Universal groups but lets put these to one side.....for the moment..;-)ThanksDavid****************************************************************************
This message contains confidential information and is intended only
for the individual or entity named. If you are not the named addressee
you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of this
message which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
This message is provided for informational purposes and should not
be construed as an invitation or offer to buy or sell any securities or
related financial instruments.
GAM operates in many jurisdictions and is
regulated or licensed in those jurisdictions as required.
****************************************************************************
