On Thu, Feb 9, 2012 at 10:04 AM, David Lum <david....@nwea.org> wrote:
> 2. Groups for this should be Domain Local and no other kind Why? Specifically, why "no other kind"? > 3. In the description in AD, be explicit about where that group has > access to – at any time someone should be able to look at the description an > know exactly what that group does/has access to. I do the same, and make a nuisance of myself to my fellow network admins to do the same. Now we all put the share location in the description, at the very least. (me, I document user changes - such as adding to/changing group memberships, etc - in the "Notes" field of the "Telephone" tab (we don't use that tab for anything else). Sort of a poor man's audit trail. I still can't get the other guys to do that, tho ...) > Most Pre-Lum era groups had blank fields and others simply had “For access > to files” and they seemed to understand once I showed them, as I heard more > than one “Aaahhh..” I know that one; that's why we now document all new groups with share locations in the descriptions, at the very least. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin