Re: Best practice on setting permissions with authenticated users

It seems you have two or three questions hidden in there.

To give all users of a domain access, should one use grants
via Authenticated Users ?
That would do it, but are there now or will there ever be more
than one domain in the forest ? If so, use of AU overallots
access to users of all domain, whereas you specificed "the"
domain.
Hence, use of Domain Users might be better.

Is it better to grant directly to AU, or should AU be used in
a group that is used for the grant?
I like to only make grants to groups that have membership that
I can control. If one grants directly to AU and later you want
to change the grant, then you need to modify the ACLing on the
storage. If you use a custom group that contains AU, then to
make the later change one only needs to adjust membership in
the custom group.

Is it best to use AU in a domain global and this global in a
domain local ?
Opinions vary.
There are also the options of using the global in a machine
local, using AU in a domain local directly (without the global),
using AU directly in a machine local, using the domain global
directly in the ACL, etc. etc. etc.
Factors used in deciding include: visibility of the group for
use outside of its domain, user token size, portability of what
is ACL'd between different systems (such as by a restore with
permissions), whether anything on the local machine would
use the domain group but store this as a string rather than as a
SID (ex. SQL Server grants), etc..

"Trilix" <Trilix@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:07D64336-D127-4419-A82E-6B9DC70E8DBA@xxxxxxxxxxxxxxxx
Hi,

Can someone tell me what the best practice is when you need to give all
users on the domain modify rights on a network share?

At this moment we have given "Authenticated users" modify rights.

I was thinking of putting "Authenticated users" in a global group and
putting that in a domain local group ...

Is this the way to go or am I totally wrong here?

Thanks,
Jurgen



.