Re: Permissions - local

This is probably going to start an argument but I have never thought that AGDLP or UGLy or whatever people want to call it was ever any good for a mechanism for assigning permissions UNLESS you were trying to implement some sort of role based scheme and even then I dislike it because the person who is responsible for the resource security is getting too far from the management of the security. I.E. They control their local group but have no say over the global groups that get nested into it.

I am and have been since about 1996 a huge fan of placing users directly into the domain local or machine local groups where the get their permissions from. This was said to be a great model for a master/resource or multiple-master resource domain design and that couldn't have been further from the truth as I managed a very huge multi-master environment and trying to manage groups in this way makes no sense. It also doesn't make sense in a single domain structure as well, so outside of the idea of role based security I don't see anywhere where it should be used.


PLus... I think as we get more and more into issues with token and kerberos bloat issues more and more people are going to come over to my way of thinking about this problem unless Microsoft does some major restructuring in how groups are handled in general.

Regardless of what you do, it is a policy decision (or technical if you have a huge number of groups because you seriously need to worry about token and kerb bloat then) and whatever you decide make sure to follow explicitely.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Bad Beagle wrote:
I understand the concept of AGDLP for domain permissions but is there any benefit or issue with using the same DL groups when apply local permissions? For example I have a Group called G-HR which is a member of DL-HR and I need to make G-HR group local administrator permissions on a machine - should I use DL-HR or G-HR? Any difference?


.

Relevant Pages

  • Re: Permissions - local
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... AGDLP or UGLy or whatever people want to call it was ever any good for a mechanism for assigning permissions UNLESS you were trying to implement some sort of role based scheme and even then I dislike it because the person who is responsible for the resource security is getting too far from the management of the security. ... For example I have a Group called G-HR which is a member of DL-HR and I need to make G-HR group local administrator permissions on a machine - should I use DL-HR or G-HR? ...
    (microsoft.public.windows.server.security)
  • Permissions - local
    ... benefit or issue with using the same DL groups when apply local permissions? ... For example I have a Group called G-HR which is a member of DL-HR and I need ...
    (microsoft.public.windows.server.security)
  • RE: What server hardening are you doing these days?
    ... permissions on their data, and Microsoft encourages ISVs to minimize ... I've been able to discuss ACLs and other security issues in Windows with ... Control or DAC (which is what you're referring to by the "stupid ...
    (Focus-Microsoft)
  • Re: Windows Firewall Wont Stay On
    ... I have come up with a solution that does not disable Security Center, ... By changing the Permissions of that key, ... settings from being changed again. ... the firewall alert settings in Security Center get ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: get rid of security center?
    ... I have come up with a solution that does not disable Security Center, ... By changing the Permissions of that key, ... settings from being changed again. ... the firewall alert settings in Security Center get ...
    (microsoft.public.windowsxp.help_and_support)