This sounds like what I needed, I'm like you, I don't keep up with the small stuff and keep things as simple as possible.
Here it sounds like it's not only wasted CPU, but it stores more in RAM (more SIDs). On a server that is already experiencing some resource issues, we need to cut corners everywhere we can! That on top of the other reply, which results in the horrid SID issue when a user object is deleted, which is the more obvious problem but can easily be dismissed in circumstances where there is little turnover. Thanks again! On Wed, Apr 1, 2009 at 8:50 AM, Michael B. Smith <mich...@owa.smithcons.com>wrote: > I agree with you - use groups. > > Your security token is built when you log on to a workstation and once each > 10 hours after that (with a bit of randomness thrown in - I'm sure Ken can > tell us how Kerberos does that - I don't keep up with those details). :-) > > That includes the groups of which you are a member (their SIDs) and your > account SID. > > Using groups allows you to actually reduce the processing overhead by > reducing the number of SIDs which must be compared to determine whether a > particular process/user/etc. can gain access. > > Regards, > > Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP > My blog: http://TheEssentialExchange.com/blogs/michael > Monitoring Exchange w/OpsMgr now available http://snurl.com/45ppf > > ------------------------------ > *From:* Stephen Wimberly [riverside...@gmail.com] > *Sent:* Wednesday, April 01, 2009 7:32 AM > *To:* NT System Admin Issues > *Subject:* File Server Security; Best Practice. > > I have two file servers, each Windows 2003 R2, and use DFS replication to > keep the DFS shares in sync... I have a Windows Server 2003 R2 domain in a > single domain forest. if that matters. > > I have always shared folders to a group and maintained the members of those > groups to allow specific access. I have considered this best practice. I > now have two coworkers that insist on adding user objects rather than > security groups directly to the file shares as well as specific folders > under the file share. > > Other than a maintenance nightmare, is there really any reason for using > security groups over user objects? Does it create more CPU overhead for > example? > > Thanks in Advance! > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
