Best Practice

C

chad

Our Active Directory structure has users broken up by department. One
department wants its own server that only they have access to. They
want their My Docs folder redirected there, and an area for dumping
common files. My question is, should security groups be created by
department? I could create department X with the same rights they have
now, but only with X's members. Then I could redirect folders based on
groups. Is this a good practice?
 
R

Ryan Hanisco

Hi Chad,

You will usually want to use an OU for a logical management division in
your AD tree. This is a collection of Users, Groups, and Computers that
have a common GPO. Security groups are for setting permissions to
specific resources in the domain. That being said, if you are
segmenting users for the accounting department into a specific OU, you
will often have a security group containing these objects to handle
permissions or to do GPO filtering (again by permissions).

Redirecting folders based on security group is often done and works
well. I would caution you in your corporate culture of a department
having its "own" server. It certainly makes sense to have resources
matched to business units, but when they start to feel ownership of the
resource, an environment can be created that will take the security and
management away from the experts in that area.

The best scenario here is to work with them to define their needs and
help them come to a reasonable set of expectations of how the IT
resources will meet their defined business needs -- that means in
writing.

As always, the technology is the easy part.

Ryan Hanisco
FlagShip Integration Services
 
C

chad

Thanks, Ryan.
Ryan said:
Hi Chad,

You will usually want to use an OU for a logical management division in
your AD tree. This is a collection of Users, Groups, and Computers that
have a common GPO. Security groups are for setting permissions to
specific resources in the domain. That being said, if you are
segmenting users for the accounting department into a specific OU, you
will often have a security group containing these objects to handle
permissions or to do GPO filtering (again by permissions).

Redirecting folders based on security group is often done and works
well. I would caution you in your corporate culture of a department
having its "own" server. It certainly makes sense to have resources
matched to business units, but when they start to feel ownership of the
resource, an environment can be created that will take the security and
management away from the experts in that area.

The best scenario here is to work with them to define their needs and
help them come to a reasonable set of expectations of how the IT
resources will meet their defined business needs -- that means in
writing.

As always, the technology is the easy part.

Ryan Hanisco
FlagShip Integration Services
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Best method for mass amounts of Workgroup Templates 2
Best Security Option to access Read Only Form 4
Local Admin Remote Destop Assistance 0
"Nested" COUNTIF's 5
File Server rights 2
Filtering form from another and make visible/hide 5
company moving 3 networks onto 2 physical segments 2
Can I view task, shared to me in my to-do list, or is it nessesaryfor me to follow up on both my per 1

Top