Mike,
I am a fan of doing the following:
Find some way that makes sense to you to place all of your users in a Global
Security Group. If you want to do it by department, that is fine. If you
want to do it by function, that is fine. Just make that decision and stick
to it. Create a Global Security Group for each "grouping". Give each of
these Global Security Groups a name starting with 'GSG_'. If you have a
grouping called 'Managers' call it 'gsg_managers', for example. I would not
mail-enable the Global Security Groups. Do this for all of your
'groupings'.
I would then create a Global Distribution Group that mirrors the Global
Security Groups - if that makes sense for your environment. I would call
that group 'gdg_managers', for example. Do this for all of your
'groupings'. You just need to make sure that you get rid of the 'gsg_' in
the front of it when it comes to the alias and you might want to consider
sticking either a "_" or a "#" in front of the name ( #Managers, for
example ) for the Display Name so that all of your Distribution Groups are
bunched together at the top of the GAL in Outlook.
I would then create a Universal Security Group called 'USG_Company' and make
each of those GSG a member of this. I would do the same for the GDGs.
Create a Universal Distribution Group and call it 'UDG_Company'. Or
whatever makes sense for you!
For permissions to Network Resources ( such as shared folders on the File
Server ) I would create Domain Local Security Groups ( called, naturally,
LSG_whatever ). You can then simply add either the GSGs or the USG to each
of the LSGs as appropriate. Naturally, you give the LSG the permissions (
read, change, full control, whatever ). If you should be so fortunate to
have a dedicated File Server running on a WIN2000 Member Server ( in other
words, not on a DC ) I might avoid the temptation to create the local
security groups via the Computer Management console on that specific file
server. The reason: if you were to want/need to use something like RMTSHARE
in conjunction with XCACLS you might have a hard time. However, please note
that doing so in this method is also a valid method. If you have other OSes
( read: Macs ) then you might just have to do it in this manner.
What you want to try to avoid is making individual users a member of a
Universal Group. You also want to try to avoid adding permissions to an
individual user account. Additionally, you want to try to avoid situations
where you have to add an individual user account to 15 different groups upon
creation. With the manner that I have suggested, you add a user account to
two groups ( the 'grouping' security group and the 'grouping' distribution
group ) and there you go. Naturally, it might not always be this easy but
it is great to get close.
I worked in an environment where upon creating a user account I had to add
that user account to some 25 different groups. I almost always missed one!
Not the way to do things.
Anyway, what I have suggested is simply a guideline on how things *could* be
done. I typically work in smaller environments ( 25 users to 300 users )
and this works just fine.
HTH,
Cary
