AD Group Question

[MasterRacker]

We all know the AGULP (AGUDLP) rule for group nesting. What are peoples thoughts on this situation:

Global Groups: GrpA, GrpB, GrpC, each containing a number of user accounts.

Now say I have a shared folder (SF) that I need to give full access to GrpA, GrpB, GrpC and a single user: Jim.

My take on "best practices" is create a container global group (SFUsers-Global) containing the 3 other groups plus Jim and then put that in the Local group (SF-Local) that holds the folder permissions.

However, in a situation like this, what might be bad abut simply putting the 3 groups plus Jim directly into the Local group?

I've got a number of situations where I have miscellaneous users that need access to something and don't fit neatly into any of the global groups. One thing to keep in mind is that I'min a single domain environment and that's not likely to change.

Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]

 

[TechyMcSe2k]

I recommend creating Folder Group Security.

Say Folder name Docs
There is a group called Docs Modify and a group call Docs Read.

Then when people need access to the shared folders, you just add them to the proper group needed. then for the large masses that already have a group...nest that group in the approopriate modify or read folder group.

this way, the folder security never changes. And no one ever, ever adds a single user to a root folder.

_______________________________________
Great knowledge can be obtained by mastering the Google algorithm.

 

[MasterRacker]

I'm not asking about putting users directly onto a folder.
Assuming every folder has a Domain Local group (or groups) to assign permissions - is it OK as a best practice to put misc. users in the local group or does everyone strictly follow the model and only put user account global or universal groups?

Here's a (bad) attempt at a diagram

Scenario A (Strict AGULP)

UserA-----\
UserB------(Admin-Global)-----(FolderRW-Global)
UserC-----/                /    |            
                          /     |--(FolderRW-Local)----Folder
UserExtra----------------/                          /
                                                   /
UserD-----\                                       /
UserE------(Users-Global)-------(FolderRO-Local)-/
UserF-----/

Scenario B (Group Saving)

UserA-----\
UserB------(Admin-Global)--\
UserC-----/                 \              
                             -(FolderRW-Local)------Folder
UserExtra------------------/                      /
                                                 /
UserD-----\                                     /
UserE------(Users-Global)-----(FolderRO-Local)-/
UserF-----/

I'm leaning toward B. In one dept. alone I have a situation like this:
FolderA - Admin + Jim
FolderB - Admin + Tom
FolderC - Admin + Susan
FolderD - Admin
FolderE - Admin
...

I hate the idea of having all kinds of container groups just to gather up 1-off miscellaneous users for different things.

I'm in a relatively small, single domain network that doesn't change all that much. I'm wondering if I'm going to run into any problems with the second scheme.

Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]

 

[TechyMcSe2k]

B is the same thing I meant...I just did not use the word Local

Go with B.

_______________________________________
Great knowledge can be obtained by mastering the Google algorithm.