That makes sense ! But do it anyway <grin> ( Hello John ! ) On Tue, Oct 13, 2009 at 10:17 AM, David Lum <david....@nwea.org> wrote:
> Amen on the self-documenting names! My ACL group names follow whatever > they have access to : SERVER1-SHARE7, etc. That way if I have a department > group and I look at its “member of” tab I can see exactly where they have > access to. > > *David Lum** **// *SYSTEMS ENGINEER > NORTHWEST EVALUATION ASSOCIATION > (Desk) 971.222.1025 *// *(Cell) 503.267.9764 > > *From:* Erik Goldoff [mailto:egold...@gmail.com] > *Sent:* Tuesday, October 13, 2009 6:28 AM > *To:* NT System Admin Issues > *Subject:* Re: Sanity check - AD groups > > > > agreed with most replies ... > > > > as long as you don't create too many individual groups ( so many as to be > insane to manage ) I think you're always better off with discreet, granular > groups ( ideally with self documenting names too ) so as not to over-permit > beyond what is needed ... back to the principle of 'least privledged' > > On Tue, Oct 13, 2009 at 8:48 AM, David Lum <david....@nwea.org> wrote: > > I am going through file/folder permissions and our security groups in AD – > I imagine some of you guys have hundreds of security groups? For a given > share I have a security group associated (with RWXD perms) with it, and if > some folks need read-only I create another group. I also have groups for > each department and they become members of whatever security group is > associated with access to whatever shares they need. I do the same for > non-shared folders that also need specific permissions. > > *David Lum** **// *SYSTEMS ENGINEER > NORTHWEST EVALUATION ASSOCIATION > (Desk) 971.222.1025 *// *(Cell) 503.267.9764 > > > > > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
