That's why I name my groups descriptively. If the group is for read-only access by US staff to the HR directory in the departments share on the home file server, I name it as US-HomeDepartmentsHR-RO
If the group is for read-write access by the UK staff to a SQL database name CustomerProfiles in the machine named CRM01, the name will be UK-CRM01SQLCustomerProfiles-RW Does this generate a lot of groups? Likely yes, depending on the environment. But if the resource needs specific rights granted, then a specific group is needed. The good thing about this is that you can then populate those descriptive groups with the base groups for departments or workgroups, and when someone moves to a new position, you remove them from their no longer relevant groups, and add them to the newly relevant groups. So, for instance, when Ralph in accounting moves from AP to AR, you remove him from the AP group and add him to the AR group, and he automatically inherits all of the permissions needed, while losing the permissions that no longer apply. This also applies to cross-functional groups, which can be viewed as sort of meta-departements. Kurt On Thu, Sep 27, 2012 at 7:45 AM, David Lum <david....@nwea.org> wrote: > BTW, I know *EXACTLY* How you feel. We have a lot of groups created before I > was here and the description says simply "for access to files". > > Along the same lines, how do folks here go about auditing security groups and > knowing if they are still valid or if the members list is still appropriate? > As in, how do you track/audit if the appropriate group memberships were > changed when Jill moved from sales to accounting? > > -----Original Message----- > From: Michael Leone [mailto:oozerd...@gmail.com] > Sent: Thursday, September 27, 2012 7:27 AM > To: NT System Admin Issues > Subject: Listing all groups / finding a group on shared folders security > > I have this problem. I have an AD group that has just a name and no > description, no notes, no nothing. (it was apparently created like 7 years > ago). I don't know what it does, or what it is used for. I > *suspect* that it's used to control ACLs to a share, but I don't know that > for sure. And it occurred to me that I don't know how to find out what share > it might be providing security for. > > I guess what I am asking is: how can I go through all the folders on a file > server, and list out the user and group names on the security of the folders > (or shares, I suppose)? Is there a utility that does that? > A script I would have to run against the whole folder structure? > Ideally, tell it the group name I'm looking for, and have it come back and > say "\\this-server\that-folder"? I'm looking for a free utility, BTW - I know > there are a lot of security programs for purchase that can tell me this, and > in fact we will be looking at one in a few weeks. But even if we purchased > such software, it would be a while to implement, etc. And I'd like to answer > at least this one request now. > > This is why I harp on about using the description and notes fields in AD, > both for users and groups ... it makes my life a lot easier when someone asks > me for a list like this .... > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
