proper file security methods

[Mike Brearley]

What's the proper way to assign a group access to a directory.

Say I have a global group setup in AD that many users are members of.
Should I setup a local group on the local file server and make that global
group a member of the local group and assign the local group access to the
directory or should I just assign the global group access to the directory
without creating a local group? Or is there a difference in setting up a
local group in AD?

--
Posted 'as is'. If there are any spelling and/or grammar mistakes, they
were a direct result of my fingers and brain not being synchronized or my
lack of caffeine.

Mike Brearley

 

[Doug Sherman [MVP]]

Either way will work, and if the global group serves no purpose other than
to access this particular resource, it probably makes no difference. The
recommended way to do it is as you described - create a domain local group
to access the resource, place users in a global group, and make the global
group a member of the local group. The reason for doing it that way is that
it gives you more granular control. You can add other users/groups to the
local group without having to add them to the global group which might give
them undesired access to other resources.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

 

[Herb Martin]

What's the proper way to assign a group access to a directory.

Say I have a global group setup in AD that many users are members of.
Should I setup a local group on the local file server and make that global
group a member of the local group and assign the local group access to the
directory or should I just assign the global group access to the directory
without creating a local group?

The former -- it's a best practice.

With one Global and one "resource" it may not
be obvious why adding the local is better but for
scalability and manageability over time it is.

Imagine that the Local group represents a whole
"set of resources" and the Global group(s) represent
categories of people who should be given access
together.

Were you to have another group who need access
together you would add them to a new Global, and
place themin the appropriate Local group(s).

Also, not that the Global groups can be used in (many)
different places.

Local == think "set of resources"

Global == think "set of users"

Or is there a difference in setting up a
local group in AD?

Yes, if the Group might be used across many file
servers the Local group in AD is preferable to a
(bunch of) Local group(s) on different servers BUT
using the Domain Local (properly) requires that the
Domain be in Native(+) mode.