Re: Best Practice for Group Names
- From: BCW <nospam@xxxxxxxxxx>
- Date: Thu, 10 Aug 2006 13:47:50 -0400
Thanks! It's the opposite of the historical MS guidance with user -> global
group -> local group as you say. In my experience I also have observed
that the proper setup and use of MS based permissions is almost non
existent, so that people view a thorough setup with best practices as
involved and scary; ie multiple separate over-powered dept servers when a
single server with correct security applied to the resources would do very
well.
Joe Richards [MVP] wrote:
I usually recommend naming the group for the resource and the type of
access it grants. So over a folder named bob maybe bob-r for readonly
access to bob or just bob for change access or bob-f for bob full
control. Or if going into the domain to control that share you want to
add in the server name or even share and server (I recommend standard
project share naming throughout a company so share shouldn't be needed -
i.e. every project data share in one fortune 5 company I worked with is
called PROJ and the permissioning is done at the top level folder level,
not on the share) so then you see something like server1-bob,
server1-bob-r, or maybe instead server1_bob_r, or server1.bob.r, or
server1-bob_r, etc etc.
I am not a fan of putting scope or whether or not the group is a
security or non-security enabled group because it is trivial to change
those things. Exchange will turn non-security groups into security
groups whenever it feels like it and you can't (and shouldn't) stop it.
Also for scope I mostly work with very large companies and governments,
etc >100k seats but I highly recommend sticking with resource based
grouping and using domain local groups as much as possible. This limits
the scope so when you have to try and figure out everywhere the group
could be getting used, you don't have to look as far. Plus, it means the
person controlling the group giving access to the resource is in full
control of the membership. When you use the User into Global, Global
into Local group nesting stuff you tend to be wasting space in your
tokens and taking away the power from the resource group manager to
actually manage the membership. This is a form of role based or dept
based permissioning and is usually more open than it needs to be as I
have found few occasions where everyone in a role or a deptartment all
need exactly the same permissions. This is usually because roles are
defined broadly.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
BCW wrote:
I've seen references to using standard group naming conventions in a few
posts, and am currently taking the MS course for 70-299 which uses
prefixes
to indentify group scope (GG for global group etc). I'm looking for best
practice suggestions that you all have for the group names.
Thanks
.
- References:
- Best Practice for Group Names
- From: BCW
- Re: Best Practice for Group Names
- From: Joe Richards [MVP]
- Best Practice for Group Names
- Prev by Date: Re: Allow app as user at child root read-only to all child AD objects
- Next by Date: Re: Best Practice for Group Names
- Previous by thread: Re: Best Practice for Group Names
- Next by thread: Re: Best Practice for Group Names
- Index(es):
Relevant Pages
|
