Groups best practices

S

SA

I am trying to decide how to assign user permissions to shares on computer.
SHould I use Global groups or put Global groups into local groups and then
assgin the permissions.
The second approach seems complex and cumbersome to me and would like to
avoid it if at all possible.

-SA.
 
J

Joe Richards [MVP]

Depends on lots of things that are tough to enumerate in detail. However note
that you can also just add users to domain local groups and assign them
permissions. If you have a multi-domain environment, this option is one of the
better ones in my opinion.

joe
 
M

Marin Marinov

[email protected] said:
I am trying to decide how to assign user permissions to shares on computer.
SHould I use Global groups or put Global groups into local groups and then
assgin the permissions.
The second approach seems complex and cumbersome to me and would like to
avoid it if at all possible.

-SA.
Click to expand...
I assume this computer is a domain member since you post in this
newsgroup ;) A best practice for a single domain is using the A G Dl P
strategy - put Accounts into Global groups, Global into Domain Local,
and grant Permissions at the resource to Domain Local group. It has
proven to be the most flexible in the long run. Since the machine is a
member of a Win2K or higher domain, forget about local groups for
granting access to resources - the AGLP strategy was used in NT 4.0 but
with Domain Local groups it's no longer justified.

HTH
--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.
 
S

SA

Marin,
You are right. I am talking about domain global groups. I have been told
the same thing that this is usually best practice but I find it confusing
and I know it will confuse other people.

I can understand putting domain global groups into local computer local
groups for access but I dont understand the need to put the domain Global
groups into domain local groups and then assigning the domain local groups
the permission.

Thanks and I hope I made myself more clear.

-SA.
 
M

Marin Marinov

<snip>
Ok, I'll give it a shot, hope this clears things up ;) You create Global
groups to organize users based on a *common need* of theirs - for
example, all users from Accounting that need to print to LaserJet1. In
this case the common need is *printing*, it may also be accessing a
specific share. Global groups server as a bus for the users - you *pack*
them in a common object (vehicle) so they are easy to *transport* and to
*manipulate* as a whole. That's why they have *global* scope - you can
use them throughout your forest but they can contain only members from
their own forest.
Domain Local, on the other hand, are used for defining access to
resources. Since resources reside in the domain, these groups are
*locked* inside their domain - they can contain members from anywhere in
the forest. The idea behind this, as actually is with local groups, is
to define the permissions at the resource only once and never go there
again, if possible - just close the link between "permission" and
"user" by putting Globals into DLs.

Often, especially in large organization, it happens that a group of
users must have the same permissions to a resource as another group. In
my example, consider that Sales should also print to LaserJet1. If you
granted Accounting directly permissions on the print queue you'll have
to go again and repeat this for Sales. Moreover, you might even not have
any permissions on this printer because you've just been delegated
permissions in AD to create and manage groups so someone else has to do
the permissions part for you. Now imagine you have played a lot to grant
special NTFS permissions to, say 50 files. Would you like to do this
again manually for Sales? Probably not.

And if you extrapolate this example to an large enterprise with hundreds
of users, groups and resources things start getting pretty complicated.
That's what I meant by "most flexible in the long run" - even if now you
don't see the benefit of AGDLP, just take the time to create the DLs and
in the comming months and years it will pay off, that's guaranteed.

I hope I managed to shed some light on the AGDLP matter (it certainly
turned out longish ;)) Feel free to ask further if you still don't feel
convinced.

P.S.: The only exception to this strategy is permissions in AD - you
should always use Global or Universal groups there.

HTH
--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Problem with domain local and global groups 3
NTFS Permissions Architecture - Best Practices? 6
Domain Local Groups not accesssible 1
Local Groups Not Visible 2
Nesting groups? 5
Groups in 2003 2
Assigning Domain Local Groups to resources on client machines? 2
Win2003's Global vs Local domain groups... 4

Top