airbourne
MIS
- Sep 11, 2003
- 130
I've run into this problem at a few places I have worked now, and I just want to get the opinion of some other professionals in the field of AD Administration. The subject is about groups.
1st option: Do you put your users into a small amount of groups, such as by department or by hierarchy (ceo, manager, peon, etc..), then assign that department group to all the resources they need?
2nd option: Or, do you create your groups based on the resources you have, and put your people into those groups, potentially creating a great many number of groups in active directory.
I kinda feel that the second one is easier to manage because you can centrally control who has access to what specific resource without having to go to each resource. The second option does requires a key file when you are creating new users or when a user changes jobs within the company. The key file is basically a spreadsheet detailing what resources they get access to based on job title.
My co-worker disagrees with me and likes the first option better. Thoughts?
1st option: Do you put your users into a small amount of groups, such as by department or by hierarchy (ceo, manager, peon, etc..), then assign that department group to all the resources they need?
2nd option: Or, do you create your groups based on the resources you have, and put your people into those groups, potentially creating a great many number of groups in active directory.
I kinda feel that the second one is easier to manage because you can centrally control who has access to what specific resource without having to go to each resource. The second option does requires a key file when you are creating new users or when a user changes jobs within the company. The key file is basically a spreadsheet detailing what resources they get access to based on job title.
My co-worker disagrees with me and likes the first option better. Thoughts?