RE: Finding unused/dead groups?
In no environment (of six that I manage) have I moved servers outright where this would be an issue, replacement file servers (quite rare in fact) inherit the same name and new servers get new groups. Having said that, you do bring up a good point to consider going forward. Is it possible to script changing AD group names in bulk? If I had 20 group names that started SERVER1_ change them to SERVER2_ ? If not server names, what do you use for an AD group name used to accessing file shares? Dave -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Wednesday, August 18, 2010 3:08 PM To: NT System Admin Issues Subject: Re: Finding unused/dead groups? On Wed, Aug 18, 2010 at 5:54 PM, David Lum david@nwea.org wrote: Not to mention our group name itself is in the form of Server_Share_RWXD I don't like that because it means if you move servers your group names either change or become misleading. But we otherwise do something similar. Things like QMS Doc Editors and QMS Doc Readers. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- You are currently subscribed to ntsysadmin as: arch...@mail-archive.com. To unsubscribe click here: http://lyris.sunbelt-software.com/u?id=8142875.a9cf90b99baa17cb4fcf8293a59eb3b1n=Tl=ntsysadmino=9079448 or send a blank email to leave-9079448-8142875.a9cf90b99baa17cb4fcf8293a59eb...@lyris.sunbelt-software.com
RE: Finding unused/dead groups?
For scalability you should use an Authorisation Group - Resource Group strategy. Your AGs are based on teams or departments. Your RGs are assigned to the ACLs for each resource. You put your AGs into your RGs. This makes provisioning/deprovisioning simple. Your RGs probably shouldn't have the server name embedded. You use DFS-N right? So, the RG can be based on the share name and the type of access. For really small environments your strategy can work, but it won't scale. Cheers Ken -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Monday, 30 August 2010 11:48 PM To: NT System Admin Issues Subject: RE: Finding unused/dead groups? In no environment (of six that I manage) have I moved servers outright where this would be an issue, replacement file servers (quite rare in fact) inherit the same name and new servers get new groups. Having said that, you do bring up a good point to consider going forward. Is it possible to script changing AD group names in bulk? If I had 20 group names that started SERVER1_ change them to SERVER2_ ? If not server names, what do you use for an AD group name used to accessing file shares? Dave -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Wednesday, August 18, 2010 3:08 PM To: NT System Admin Issues Subject: Re: Finding unused/dead groups? On Wed, Aug 18, 2010 at 5:54 PM, David Lum david@nwea.org wrote: Not to mention our group name itself is in the form of Server_Share_RWXD I don't like that because it means if you move servers your group names either change or become misleading. But we otherwise do something similar. Things like QMS Doc Editors and QMS Doc Readers. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- You are currently subscribed to ntsysadmin as: k...@adopenstatic.com. To unsubscribe click here: http://lyris.sunbelt-software.com/u?id=4624534.8cf8ec89c55b059d3d64e25ae6780307n=Tl=ntsysadmino=9079448 or send a blank email to leave-9079448-4624534.8cf8ec89c55b059d3d64e25ae6780...@lyris.sunbelt-software.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- You are currently subscribed to ntsysadmin as: arch...@mail-archive.com. To unsubscribe click here: http://lyris.sunbelt-software.com/u?id=8142875.a9cf90b99baa17cb4fcf8293a59eb3b1n=Tl=ntsysadmino=9079464 or send a blank email to leave-9079464-8142875.a9cf90b99baa17cb4fcf8293a59eb...@lyris.sunbelt-software.com
Re: Finding unused/dead groups?
I use the DFS namespace to eliminate that issue and use descriptive names for groups. -Jeff Steward On Mon, Aug 30, 2010 at 11:48 AM, David Lum david@nwea.org wrote: In no environment (of six that I manage) have I moved servers outright where this would be an issue, replacement file servers (quite rare in fact) inherit the same name and new servers get new groups. Having said that, you do bring up a good point to consider going forward. Is it possible to script changing AD group names in bulk? If I had 20 group names that started SERVER1_ change them to SERVER2_ ? If not server names, what do you use for an AD group name used to accessing file shares? Dave -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Wednesday, August 18, 2010 3:08 PM To: NT System Admin Issues Subject: Re: Finding unused/dead groups? On Wed, Aug 18, 2010 at 5:54 PM, David Lum david@nwea.org wrote: Not to mention our group name itself is in the form of Server_Share_RWXD I don't like that because it means if you move servers your group names either change or become misleading. But we otherwise do something similar. Things like QMS Doc Editors and QMS Doc Readers. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- You are currently subscribed to ntsysadmin as: jstew...@gmail.com. To unsubscribe click here: http://lyris.sunbelt-software.com/u?id=8250068.606d17937843617f86ab4441e27acc58n=Tl=ntsysadmino=9079448 or send a blank email to leave-9079448-8250068.606d17937843617f86ab4441e27ac...@lyris.sunbelt-software.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- You are currently subscribed to ntsysadmin as: arch...@mail-archive.com. To unsubscribe click here: http://lyris.sunbelt-software.com/u?id=8142875.a9cf90b99baa17cb4fcf8293a59eb3b1n=Tl=ntsysadmino=9079467 or send a blank email to leave-9079467-8142875.a9cf90b99baa17cb4fcf8293a59eb...@lyris.sunbelt-software.com
Re: Finding unused/dead groups?
On Wed, Aug 18, 2010 at 5:54 PM, David Lum david@nwea.org wrote: Not to mention our group name itself is in the form of Server_Share_RWXD Ben replied: I don't like that because it means if you move servers your group names either change or become misleading. But we otherwise do something similar. Things like QMS Doc Editors and QMS Doc Readers. Much later, on Mon, Aug 30, 2010 at 11:48 AM, David Lum david@nwea.org wrote: Having said that, you do bring up a good point to consider going forward. Is it possible to script changing AD group names in bulk? I'm sure it can. I would probabbly use some combination of a dump of group names, a text search-and-replace, ADMOD, and/or a batch file. You can get ADMOD from http://www.joeware.net/freetools/tools/admod/. I'd bet good money that PowerShell could do it, too. (And that MBS knows how. ;-) ) If not server names, what do you use for an AD group name used to accessing file shares? Well, to continue my example, we have a share called QMSDocs (it's got our Quality Management System (ISO-9000/AS-9100) controlled documents in it). So we have those groups for QMS Doc Editors and QMS Doc Readers. Editors can make changes, readers can, well, read, and everybody else gets nothing. Our company group that everyone is a member of is a member of QMS Doc Readers, along with a special guess account used by auditors. Our Senior QA Staff group is a member of QMS Doc Writers. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- You are currently subscribed to ntsysadmin as: arch...@mail-archive.com. To unsubscribe click here: http://lyris.sunbelt-software.com/u?id=8142875.a9cf90b99baa17cb4fcf8293a59eb3b1n=Tl=ntsysadmino=9079469 or send a blank email to leave-9079469-8142875.a9cf90b99baa17cb4fcf8293a59eb...@lyris.sunbelt-software.com
RE: Finding unused/dead groups?
We use a structure similar to the following: Root \3a_Dept1 \3a1_Team1 \3a1.01_Folder1 \3a1.02_Folder2 \3a2_Team2 \3a2.01_Folder1 \3a2.02_Folder2 \3b_Dept2 \3b1_Team1 \3b1.01_Folder AD groups are 3a1.01_Read, 3a1.01_Write, etc so users can be given different access to different areas of the FS. We also have top level groups such as 3a2_read/_write, 3a_read/_write. Since I've been here (over 3 1/2 years) we have gone through 2 physical servers and now onto Netapps. This type of structure may not work for most orgs tho. Regards Tony Patton Desktop Support Analyst - Cavan Ext 8078 Direct Dial 049 435 2878 email: tony.pat...@quinn-insurance.com From: David Lum david@nwea.org To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 30/08/2010 16:48 Subject:RE: Finding unused/dead groups? In no environment (of six that I manage) have I moved servers outright where this would be an issue, replacement file servers (quite rare in fact) inherit the same name and new servers get new groups. Having said that, you do bring up a good point to consider going forward. Is it possible to script changing AD group names in bulk? If I had 20 group names that started SERVER1_ change them to SERVER2_ ? If not server names, what do you use for an AD group name used to accessing file shares? Dave -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Wednesday, August 18, 2010 3:08 PM To: NT System Admin Issues Subject: Re: Finding unused/dead groups? On Wed, Aug 18, 2010 at 5:54 PM, David Lum david@nwea.org wrote: Not to mention our group name itself is in the form of Server_Share_RWXD I don't like that because it means if you move servers your group names either change or become misleading. But we otherwise do something similar. Things like QMS Doc Editors and QMS Doc Readers. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- You are currently subscribed to ntsysadmin as: tony.pat...@quinn-insurance.com. To unsubscribe click here: http://lyris.sunbelt-software.com/u?id=8225233.6d2293e8a6119ffc63fa3f71195af154n=Tl=ntsysadmino=9079448 or send a blank email to leave-9079448-8225233.6d2293e8a6119ffc63fa3f71195af...@lyris.sunbelt-software.com This e-mail is intended only for the addressee named above. The contents should not be copied nor disclosed to any other person. Any views or opinions expressed are solely those of the sender and do not necessarily represent those of QUINN-Insurance Limited (Under Administration), unless otherwise specifically stated . As internet communications are not secure, QUINN-Insurance Limited (Under Administration) is not responsible for the contents of this message nor responsible for any change made to this message after it was sent by the original sender. Although virus scanning is used on all inbound and outbound e-mail, we advise you to carry out your own virus check before opening any attachment. We cannot accept liability for any damage sustained as a result of any software viruses. QUINN-Insurance Limited (Under Administration) is regulated by the Financial Regulator and regulated by the Financial Services Authority for the conduct of UK business. QUINN-Insurance Limited (Under Administration) is registered in Ireland, registration number 240768 and is a private company limited by shares. Its head office is at Dublin Road, Cavan, Co. Cavan. This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- You are currently subscribed to ntsysadmin as: arch...@mail-archive.com. To unsubscribe click here: http://lyris.sunbelt-software.com/u?id=8142875.a9cf90b99baa17cb4fcf8293a59eb3b1n=Tl=ntsysadmino=9079474 or send a blank email to leave-9079474-8142875.a9cf90b99baa17cb4fcf8293a59eb...@lyris.sunbelt-software.com
Re: Finding unused/dead groups?
+1 *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Mon, Aug 30, 2010 at 11:56 AM, Ken Schaefer k...@adopenstatic.com wrote: For scalability you should use an Authorisation Group - Resource Group strategy. Your AGs are based on teams or departments. Your RGs are assigned to the ACLs for each resource. You put your AGs into your RGs. This makes provisioning/deprovisioning simple. Your RGs probably shouldn't have the server name embedded. You use DFS-N right? So, the RG can be based on the share name and the type of access. For really small environments your strategy can work, but it won't scale. Cheers Ken -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Monday, 30 August 2010 11:48 PM To: NT System Admin Issues Subject: RE: Finding unused/dead groups? In no environment (of six that I manage) have I moved servers outright where this would be an issue, replacement file servers (quite rare in fact) inherit the same name and new servers get new groups. Having said that, you do bring up a good point to consider going forward. Is it possible to script changing AD group names in bulk? If I had 20 group names that started SERVER1_ change them to SERVER2_ ? If not server names, what do you use for an AD group name used to accessing file shares? Dave -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Wednesday, August 18, 2010 3:08 PM To: NT System Admin Issues Subject: Re: Finding unused/dead groups? On Wed, Aug 18, 2010 at 5:54 PM, David Lum david@nwea.org wrote: Not to mention our group name itself is in the form of Server_Share_RWXD I don't like that because it means if you move servers your group names either change or become misleading. But we otherwise do something similar. Things like QMS Doc Editors and QMS Doc Readers. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- You are currently subscribed to ntsysadmin as: arch...@mail-archive.com. To unsubscribe click here: http://lyris.sunbelt-software.com/u?id=8142875.a9cf90b99baa17cb4fcf8293a59eb3b1n=Tl=ntsysadmino=9079475 or send a blank email to leave-9079475-8142875.a9cf90b99baa17cb4fcf8293a59eb...@lyris.sunbelt-software.com
Re: Finding unused/dead groups?
Link to discussion of AG/RG method: http://technet.microsoft.com/en-us/library/cc740013(WS.10).aspx It may be helpful to preface your security group names with AG_ RG_ ACL_ to differentiate between the group types. http://technet.microsoft.com/en-us/library/cc740013(WS.10).aspx-Jeff Steward On Mon, Aug 30, 2010 at 12:06 PM, Andrew S. Baker asbz...@gmail.com wrote: +1 *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Mon, Aug 30, 2010 at 11:56 AM, Ken Schaefer k...@adopenstatic.comwrote: For scalability you should use an Authorisation Group - Resource Group strategy. Your AGs are based on teams or departments. Your RGs are assigned to the ACLs for each resource. You put your AGs into your RGs. This makes provisioning/deprovisioning simple. Your RGs probably shouldn't have the server name embedded. You use DFS-N right? So, the RG can be based on the share name and the type of access. For really small environments your strategy can work, but it won't scale. Cheers Ken -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Monday, 30 August 2010 11:48 PM To: NT System Admin Issues Subject: RE: Finding unused/dead groups? In no environment (of six that I manage) have I moved servers outright where this would be an issue, replacement file servers (quite rare in fact) inherit the same name and new servers get new groups. Having said that, you do bring up a good point to consider going forward. Is it possible to script changing AD group names in bulk? If I had 20 group names that started SERVER1_ change them to SERVER2_ ? If not server names, what do you use for an AD group name used to accessing file shares? Dave -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Wednesday, August 18, 2010 3:08 PM To: NT System Admin Issues Subject: Re: Finding unused/dead groups? On Wed, Aug 18, 2010 at 5:54 PM, David Lum david@nwea.org wrote: Not to mention our group name itself is in the form of Server_Share_RWXD I don't like that because it means if you move servers your group names either change or become misleading. But we otherwise do something similar. Things like QMS Doc Editors and QMS Doc Readers. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- You are currently subscribed to ntsysadmin as: arch...@mail-archive.com. To unsubscribe click here: http://lyris.sunbelt-software.com/u?id=8142875.a9cf90b99baa17cb4fcf8293a59eb3b1n=Tl=ntsysadmino=9079487 or send a blank email to leave-9079487-8142875.a9cf90b99baa17cb4fcf8293a59eb...@lyris.sunbelt-software.com
RE: Finding unused/dead groups?
No DFS here - they use clusters and SANs to achieve their desired redundancy. I'm trying to wrap around how I would apply this at %dayjob%. For example, I have one server here that I have 14 security groups for example: SERVER1-Applications SERVER1-Applications-Planning SERVER1-Applications-Planning-2010 SERVER1-Applications-Planning-2010-Readonly SERVER1-Executive SERVER1-Shared SERVER1-Shared-Development Etc What would I name the RG's? FWIW we have more than one server using the share name Applications (don't ask...). Dave From: Jeff Steward [mailto:jstew...@gmail.com] Sent: Monday, August 30, 2010 9:15 AM To: NT System Admin Issues Subject: Re: Finding unused/dead groups? Link to discussion of AG/RG method: http://technet.microsoft.com/en-us/library/cc740013(WS.10).aspx It may be helpful to preface your security group names with AG_ RG_ ACL_ to differentiate between the group types. -Jeff Steward On Mon, Aug 30, 2010 at 12:06 PM, Andrew S. Baker asbz...@gmail.commailto:asbz...@gmail.com wrote: +1 ASB (My XeeSM Profile)http://XeeSM.com/AndrewBaker Exploiting Technology for Business Advantage... On Mon, Aug 30, 2010 at 11:56 AM, Ken Schaefer k...@adopenstatic.commailto:k...@adopenstatic.com wrote: For scalability you should use an Authorisation Group - Resource Group strategy. Your AGs are based on teams or departments. Your RGs are assigned to the ACLs for each resource. You put your AGs into your RGs. This makes provisioning/deprovisioning simple. Your RGs probably shouldn't have the server name embedded. You use DFS-N right? So, the RG can be based on the share name and the type of access. For really small environments your strategy can work, but it won't scale. Cheers Ken -Original Message- From: David Lum [mailto:david@nwea.orgmailto:david@nwea.org] Sent: Monday, 30 August 2010 11:48 PM To: NT System Admin Issues Subject: RE: Finding unused/dead groups? In no environment (of six that I manage) have I moved servers outright where this would be an issue, replacement file servers (quite rare in fact) inherit the same name and new servers get new groups. Having said that, you do bring up a good point to consider going forward. Is it possible to script changing AD group names in bulk? If I had 20 group names that started SERVER1_ change them to SERVER2_ ? If not server names, what do you use for an AD group name used to accessing file shares? Dave -Original Message- From: Ben Scott [mailto:mailvor...@gmail.commailto:mailvor...@gmail.com] Sent: Wednesday, August 18, 2010 3:08 PM To: NT System Admin Issues Subject: Re: Finding unused/dead groups? On Wed, Aug 18, 2010 at 5:54 PM, David Lum david@nwea.orgmailto:david@nwea.org wrote: Not to mention our group name itself is in the form of Server_Share_RWXD I don't like that because it means if you move servers your group names either change or become misleading. But we otherwise do something similar. Things like QMS Doc Editors and QMS Doc Readers. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- You are currently subscribed to ntsysadmin as: david@nwea.orgmailto:david@nwea.org. To unsubscribe click here: http://lyris.sunbelt-software.com/u?id=8067386.9ba9124c64785c7a6c24608e24352b78n=Tl=ntsysadmino=9079487 (It may be necessary to cut and paste the above URL if the line is broken) or send a blank email to leave-9079487-8067386.9ba9124c64785c7a6c24608e24352...@lyris.sunbelt-software.commailto:leave-9079487-8067386.9ba9124c64785c7a6c24608e24352...@lyris.sunbelt-software.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- You are currently subscribed to ntsysadmin as: arch...@mail-archive.com. To unsubscribe click here: http://lyris.sunbelt-software.com/u?id=8142875.a9cf90b99baa17cb4fcf8293a59eb3b1n=Tl=ntsysadmino=9079542 or send a blank email to leave-9079542-8142875.a9cf90b99baa17cb4fcf8293a59eb...@lyris.sunbelt-software.com
Re: Finding unused/dead groups?
I'm not using DFS for redundancy or replication but for the namespace, so my shares look like \\myorg.com\Public\Apps. The advantage for me is that I don't have to change update scripts or worry about server renames, I just update the DFS to point to the share(s) as needed. I find this particularly useful so that network installs of say Office don't break over time. Also, separating the server name from the share gives a more consistent naming approach to network resources. What would I name the RG’s? FWIW we have more than one server using the share name “Applications” (don’t ask…). Okay.I won't ask. Presumably there is some logic/reasoning behind this and you will have to identify a naming scheme that makes sense for your organization. Let's pretend for a moment that SERVER-1 is used by the Engineering group. Due to your current naming convention, you will have to do some work figuring out appropriate names. Server1 has a resource ( a share) named Applications currently shared as \\Server1\Applications Create the groups and assign permissions as shown. RG_ENG_Applications *Full control permissions* RG_ENG_ApplicationsRead *Read only permissions* RG_ENG_ApplicationsModify *Modify permissions* Where convenient mappings don't exist for adding groups to the above RG_ group, you can create another set of groups if needed: AG_ENG_Applications AG_ENG_ApplicationsRead Use these groups to add your one off type users such as an administrative assistant who is assisting the Engineering group, but you don't want to add for example all admin assistants. This methodology requires more upfront work, but saves work over the long haul. Using DFS namespace for shares also reduces maintenance over the long haul and may provide other benefits depending on your organizational needs. -Jeff Steward On Mon, Aug 30, 2010 at 12:59 PM, David Lum david@nwea.org wrote: No DFS here – they use clusters and SANs to achieve their desired redundancy. I’m trying to wrap around how I would apply this at %dayjob%. For example, I have one server here that I have 14 security groups for example: SERVER1-Applications SERVER1-Applications-Planning SERVER1-Applications-Planning-2010 SERVER1-Applications-Planning-2010-Readonly SERVER1-Executive SERVER1-Shared SERVER1-Shared-Development Etc What would I name the RG’s? FWIW we have more than one server using the share name “Applications” (don’t ask…). Dave *From:* Jeff Steward [mailto:jstew...@gmail.com] *Sent:* Monday, August 30, 2010 9:15 AM *To:* NT System Admin Issues *Subject:* Re: Finding unused/dead groups? Link to discussion of AG/RG method: http://technet.microsoft.com/en-us/library/cc740013(WS.10).aspx It may be helpful to preface your security group names with AG_ RG_ ACL_ to differentiate between the group types. -Jeff Steward On Mon, Aug 30, 2010 at 12:06 PM, Andrew S. Baker asbz...@gmail.com wrote: +1 *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * On Mon, Aug 30, 2010 at 11:56 AM, Ken Schaefer k...@adopenstatic.com wrote: For scalability you should use an Authorisation Group - Resource Group strategy. Your AGs are based on teams or departments. Your RGs are assigned to the ACLs for each resource. You put your AGs into your RGs. This makes provisioning/deprovisioning simple. Your RGs probably shouldn't have the server name embedded. You use DFS-N right? So, the RG can be based on the share name and the type of access. For really small environments your strategy can work, but it won't scale. Cheers Ken -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Monday, 30 August 2010 11:48 PM To: NT System Admin Issues Subject: RE: Finding unused/dead groups? In no environment (of six that I manage) have I moved servers outright where this would be an issue, replacement file servers (quite rare in fact) inherit the same name and new servers get new groups. Having said that, you do bring up a good point to consider going forward. Is it possible to script changing AD group names in bulk? If I had 20 group names that started SERVER1_ change them to SERVER2_ ? If not server names, what do you use for an AD group name used to accessing file shares? Dave -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Wednesday, August 18, 2010 3:08 PM To: NT System Admin Issues Subject: Re: Finding unused/dead groups? On Wed, Aug 18, 2010 at 5:54 PM, David Lum david@nwea.org wrote: Not to mention our group name itself is in the form of Server_Share_RWXD I don't like that because it means if you move servers your group names either change or become misleading. But we otherwise do something similar. Things like QMS Doc Editors and QMS Doc Readers. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http
Re: Finding unused/dead groups?
I just record who was in a group (net group command), remove all the users from it, mark it as DEPRECATED in the description, and wait. If anyone calls up complaining, it was still in use - roll back. If a few weeks / months / years (delete as necessary for your environment) pass without issue, remove it completely. Of course, my habit of using very detailed descriptions and sticking to a one group, one function model tends to make sure you know exactly what the scope of each group is. Others prefer nesting, but as I have spent the last two years in a fairly small environment, I've been able to do things this way without too much administrative overhead. On 18 August 2010 20:17, Paul Hutchings paul.hutchi...@mira.co.uk wrote: Is there a recommended way to determine which groups (be it Domain Local or Global) are still in active use in a given domain? Ideal world Microsoft would give groups a disable property, but since there isn't, other than at some point hitting Delete and waiting for the phone to ring there doesn't seem any decent way to determine this. Thanks. -- *MIRA Ltd* Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. -- On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Finding unused/dead groups?
I wonder how that product compares with Quest's solution. -Original Message- From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Wednesday, August 18, 2010 12:38 PM To: NT System Admin Issues Subject: RE: Finding unused/dead groups? I've got a customer that uses a tool by Varonis to track group usage. I'm ambivalent (not sure it provides equivalent value), but they like it, so that's all that matters. You might give it a look. NetWrix also has some tools in this space. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Wednesday, August 18, 2010 3:35 PM To: NT System Admin Issues Subject: RE: Finding unused/dead groups? I never would have thought of that - I should be able to use admodify to bulk hide the groups from the GAL. Be interested in any other options simply as it's always good to know there's more than one way to skin a cat, but that sounds like a plan so thanks for that Brian. Michael - A typical example is a folder gets created for a project, group(s) gets created and assigned to the folder permissions, project dies and gets deleted, groups don't. Sometimes it's my fault, sometimes it's a subfolder of a top level folder so the users delete them - most of the time my naming structure makes it obvious if a group is still relevant, but it would be good to have a cooling off period before deleting. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Finding unused/dead groups?
Honestly, no clue. I've labbed with quite a few Quest tools, but the only ones I've actually used are the NetWare migrator and GroupWise migrator. For the SMORG space they tend to be inordinately expensive, and that's where I play. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -Original Message- From: Free, Bob [mailto:r...@pge.com] Sent: Thursday, August 19, 2010 7:32 PM To: NT System Admin Issues Subject: RE: Finding unused/dead groups? I wonder how that product compares with Quest's solution. -Original Message- From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Wednesday, August 18, 2010 12:38 PM To: NT System Admin Issues Subject: RE: Finding unused/dead groups? I've got a customer that uses a tool by Varonis to track group usage. I'm ambivalent (not sure it provides equivalent value), but they like it, so that's all that matters. You might give it a look. NetWrix also has some tools in this space. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Wednesday, August 18, 2010 3:35 PM To: NT System Admin Issues Subject: RE: Finding unused/dead groups? I never would have thought of that - I should be able to use admodify to bulk hide the groups from the GAL. Be interested in any other options simply as it's always good to know there's more than one way to skin a cat, but that sounds like a plan so thanks for that Brian. Michael - A typical example is a folder gets created for a project, group(s) gets created and assigned to the folder permissions, project dies and gets deleted, groups don't. Sometimes it's my fault, sometimes it's a subfolder of a top level folder so the users delete them - most of the time my naming structure makes it obvious if a group is still relevant, but it would be good to have a cooling off period before deleting. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Finding unused/dead groups?
First hit I had on Varonis I saw this- DatAdvantage is priced based on the number of users; licenses for typical installations of one to 250 users start at $25,000. Maybe that is really representative, maybe not. It does look pretty cool nonetheless. Quest is not so expensive compared to that if I have to add a couple of zeros :-] We actually had an offer to try their product in this space (Access Manager) for one year for free from one of their VPs, if we ever find the spare cycles it would be a great project. Just spent 3 days in a room with them and a bunch of our folks doing a POC looking at pulling our *NIX machines into AD with the QAS product...that was an interesting exercise especially from the *NIX admins perspective of going from maintaining 1K auth stores individually to a single identity set of groups in AD. Thread hijack but if anyone has experience with any of the big players in that space (AD/*NIX integration privilege mgmt) I'd love to hear opinions, on or offline is fine. --bob -Original Message- From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Thursday, August 19, 2010 4:43 PM To: NT System Admin Issues Subject: RE: Finding unused/dead groups? Honestly, no clue. I've labbed with quite a few Quest tools, but the only ones I've actually used are the NetWare migrator and GroupWise migrator. For the SMORG space they tend to be inordinately expensive, and that's where I play. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -Original Message- From: Free, Bob [mailto:r...@pge.com] Sent: Thursday, August 19, 2010 7:32 PM To: NT System Admin Issues Subject: RE: Finding unused/dead groups? I wonder how that product compares with Quest's solution. -Original Message- From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Wednesday, August 18, 2010 12:38 PM To: NT System Admin Issues Subject: RE: Finding unused/dead groups? I've got a customer that uses a tool by Varonis to track group usage. I'm ambivalent (not sure it provides equivalent value), but they like it, so that's all that matters. You might give it a look. NetWrix also has some tools in this space. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Wednesday, August 18, 2010 3:35 PM To: NT System Admin Issues Subject: RE: Finding unused/dead groups? I never would have thought of that - I should be able to use admodify to bulk hide the groups from the GAL. Be interested in any other options simply as it's always good to know there's more than one way to skin a cat, but that sounds like a plan so thanks for that Brian. Michael - A typical example is a folder gets created for a project, group(s) gets created and assigned to the folder permissions, project dies and gets deleted, groups don't. Sometimes it's my fault, sometimes it's a subfolder of a top level folder so the users delete them - most of the time my naming structure makes it obvious if a group is still relevant, but it would be good to have a cooling off period before deleting. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Finding unused/dead groups?
Convert them to distribution groups and they will retain their SID but no longer be inserted into a user's token. You can subsequently remark them as security groups if someone complains. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Wednesday, August 18, 2010 2:18 PM To: NT System Admin Issues Subject: Finding unused/dead groups? Is there a recommended way to determine which groups (be it Domain Local or Global) are still in active use in a given domain? Ideal world Microsoft would give groups a disable property, but since there isn't, other than at some point hitting Delete and waiting for the phone to ring there doesn't seem any decent way to determine this. Thanks. MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Finding unused/dead groups?
What Brian says. But I guess I'm interested in knowing what you mean by active use? Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Wednesday, August 18, 2010 3:19 PM To: NT System Admin Issues Subject: RE: Finding unused/dead groups? Convert them to distribution groups and they will retain their SID but no longer be inserted into a user's token. You can subsequently remark them as security groups if someone complains. Thanks, Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com c - 312.731.3132 From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Wednesday, August 18, 2010 2:18 PM To: NT System Admin Issues Subject: Finding unused/dead groups? Is there a recommended way to determine which groups (be it Domain Local or Global) are still in active use in a given domain? Ideal world Microsoft would give groups a disable property, but since there isn't, other than at some point hitting Delete and waiting for the phone to ring there doesn't seem any decent way to determine this. Thanks. MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Finding unused/dead groups?
I never would have thought of that - I should be able to use admodify to bulk hide the groups from the GAL. Be interested in any other options simply as it's always good to know there's more than one way to skin a cat, but that sounds like a plan so thanks for that Brian. Michael - A typical example is a folder gets created for a project, group(s) gets created and assigned to the folder permissions, project dies and gets deleted, groups don't. Sometimes it's my fault, sometimes it's a subfolder of a top level folder so the users delete them - most of the time my naming structure makes it obvious if a group is still relevant, but it would be good to have a cooling off period before deleting. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Finding unused/dead groups?
I've got a customer that uses a tool by Varonis to track group usage. I'm ambivalent (not sure it provides equivalent value), but they like it, so that's all that matters. You might give it a look. NetWrix also has some tools in this space. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Wednesday, August 18, 2010 3:35 PM To: NT System Admin Issues Subject: RE: Finding unused/dead groups? I never would have thought of that - I should be able to use admodify to bulk hide the groups from the GAL. Be interested in any other options simply as it's always good to know there's more than one way to skin a cat, but that sounds like a plan so thanks for that Brian. Michael - A typical example is a folder gets created for a project, group(s) gets created and assigned to the folder permissions, project dies and gets deleted, groups don't. Sometimes it's my fault, sometimes it's a subfolder of a top level folder so the users delete them - most of the time my naming structure makes it obvious if a group is still relevant, but it would be good to have a cooling off period before deleting. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Finding unused/dead groups?
On Wed, Aug 18, 2010 at 3:35 PM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: Michael - A typical example is a folder gets created for a project, group(s) gets created and assigned to the folder permissions, project dies and gets deleted, groups don't. An ACL reporting tool may prove to be useful to you for that. See the contemporary Old habits thread. Here, when we create a Group for a folder, we record the path to the folder in the Notes section of the group in the GUI. Outside of IT, users generally don't have permissions to change ACLs, so that usually keeps things tidy for us. This likely won't scale to a larger org. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Finding unused/dead groups?
That's actually a cool idea! (Not saying you don't have cool ideas, but...) *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * Signature powered by WiseStamp http://www.wisestamp.com/email-install On Wed, Aug 18, 2010 at 3:19 PM, Brian Desmond br...@briandesmond.comwrote: *Convert them to distribution groups and they will retain their SID but no longer be inserted into a user’s token. You can subsequently remark them as security groups if someone complains. * * * *Thanks,* *Brian Desmond* *br...@briandesmond.com* * * *c – 312.731.3132* * * *From:* Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] *Sent:* Wednesday, August 18, 2010 2:18 PM *To:* NT System Admin Issues *Subject:* Finding unused/dead groups? Is there a recommended way to determine which groups (be it Domain Local or Global) are still in active use in a given domain? Ideal world Microsoft would give groups a disable property, but since there isn't, other than at some point hitting Delete and waiting for the phone to ring there doesn't seem any decent way to determine this. Thanks. -- *MIRA Ltd* Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Finding unused/dead groups?
The Varonis technology is pretty nice, although more useful from a security perspective. *ASB *(My XeeSM Profile) http://XeeSM.com/AndrewBaker *Exploiting Technology for Business Advantage...* * * Signature powered by WiseStamp http://www.wisestamp.com/email-install On Wed, Aug 18, 2010 at 3:38 PM, Michael B. Smith mich...@smithcons.comwrote: I've got a customer that uses a tool by Varonis to track group usage. I'm ambivalent (not sure it provides equivalent value), but they like it, so that's all that matters. You might give it a look. NetWrix also has some tools in this space. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -Original Message- From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Wednesday, August 18, 2010 3:35 PM To: NT System Admin Issues Subject: RE: Finding unused/dead groups? I never would have thought of that - I should be able to use admodify to bulk hide the groups from the GAL. Be interested in any other options simply as it's always good to know there's more than one way to skin a cat, but that sounds like a plan so thanks for that Brian. Michael - A typical example is a folder gets created for a project, group(s) gets created and assigned to the folder permissions, project dies and gets deleted, groups don't. Sometimes it's my fault, sometimes it's a subfolder of a top level folder so the users delete them - most of the time my naming structure makes it obvious if a group is still relevant, but it would be good to have a cooling off period before deleting. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Finding unused/dead groups?
Here, when we create a Group for a folder, we record the path to the folder in the Notes section of the group in the GUI. +1000! Not to mention our group name itself is in the form of Server_Share_RWXD(or whatever)_access for groups allowing access to specific files\folders. This has the added benefit of looking at say, a department group and you can see all the locations they have access to by looking at member of. Dave -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Wednesday, August 18, 2010 1:23 PM To: NT System Admin Issues Subject: Re: Finding unused/dead groups? On Wed, Aug 18, 2010 at 3:35 PM, Paul Hutchings paul.hutchi...@mira.co.uk wrote: Michael - A typical example is a folder gets created for a project, group(s) gets created and assigned to the folder permissions, project dies and gets deleted, groups don't. An ACL reporting tool may prove to be useful to you for that. See the contemporary Old habits thread. Here, when we create a Group for a folder, we record the path to the folder in the Notes section of the group in the GUI. Outside of IT, users generally don't have permissions to change ACLs, so that usually keeps things tidy for us. This likely won't scale to a larger org. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Finding unused/dead groups?
On Wed, Aug 18, 2010 at 5:54 PM, David Lum david@nwea.org wrote: Not to mention our group name itself is in the form of Server_Share_RWXD I don't like that because it means if you move servers your group names either change or become misleading. But we otherwise do something similar. Things like QMS Doc Editors and QMS Doc Readers. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~