For NTFS groups my standard is domain local. Universal is used when we need to nest groups and also for Exchange objects. The other one is for legacy compatibility IMO and not used.
"(me, I document user changes - such as adding to/changing group memberships, etc - in the "Notes" field of the "Telephone" tab (we don't use that tab for anything else). Sort of a poor man's audit trail. I still can't get the other guys to do that, tho ...)" Hey I do that too! In the notes I put the associated HelpDesk ticket number (if applicable) as well. Dave -----Original Message----- From: Michael Leone [mailto:oozerd...@gmail.com] Sent: Thursday, February 09, 2012 8:21 AM To: NT System Admin Issues Subject: Re: Who in your org creates server shares? On Thu, Feb 9, 2012 at 10:04 AM, David Lum <david....@nwea.org> wrote: > 2. Groups for this should be Domain Local and no other kind Why? Specifically, why "no other kind"? > 3. In the description in AD, be explicit about where that group > has access to - at any time someone should be able to look at the > description an know exactly what that group does/has access to. I do the same, and make a nuisance of myself to my fellow network admins to do the same. Now we all put the share location in the description, at the very least. (me, I document user changes - such as adding to/changing group memberships, etc - in the "Notes" field of the "Telephone" tab (we don't use that tab for anything else). Sort of a poor man's audit trail. I still can't get the other guys to do that, tho ...) > Most Pre-Lum era groups had blank fields and others simply had "For > access to files" and they seemed to understand once I showed them, as > I heard more than one "Aaahhh.." I know that one; that's why we now document all new groups with share locations in the descriptions, at the very least. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin