creating security groups from scratch - best practices

7,001

The way I have implemented it, based on Microsoft's recommendations for Windows Server 2003 (found in the MCSE Self-Paced Training Kit for exam 70-294: Planning, Implementing and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure) is:

  • Create a global security group for each position within the organisation (eg, CEO, Sales Director etc)
  • Create a domain local security group for each resource (or two groups if you are giving some people read-only premission and others modify permission) (eg, Sales File Modifiers, Marketing Data Readers)
  • Assign permissions to your resources, using the domain local security groups (eg, Give Modify permissions on the Sales Files to the Sales Files Modifiers groups)
  • Assign users to the relevant global security groups (eg, make your CEO a member of the CEO security group)
  • Add the global security groups to the relevant domain local security groups (eg Add the Sales Director group to the Sales Files Modifiers group)

So you have: User Account -> Job Role security group -> Resource Permission security group -> Resource Permissions

Doing it this way, you can end up with a lot of groups, particularly domain local groups, if you have a lot of resources, but it keeps it relatively simple and maintainable. Trying to get clever and having multiple levels of nested groups is a recipe for complexity and disaster, trust me!

It would also be a good idea to ensure that no-one other than Administrators has Full Control of any files. This prevent s users trying to be too clever and configuring their own permissions.

Share:
7,001

Related videos on Youtube

Rory
Author by

Rory

Updated on September 18, 2022

Comments

  • Rory
    Rory over 1 year

    I need to create security groups in AD. I can identify the groups that I need, let's say they are: Management,Finance,Sales & Engineering. And I can identify the resources that each group requires access to (though this could be a tedious task). And I can identify levels of access required.

    Most companies add security groups as needed. But this is a situation where the company is already mature but has never used security groups before. Are there best practices for implementing security groups? Are there any tips? Or pitfalls to avoid? And does anyone know of any tool that could speed up the group->resource mapping process?

  • Rory
    Rory over 12 years
    Thanks @hmallett. This make so much sense. Could you provide a link to where I can read more on this by any chance? Because I'm struggling to find it.
  • hmallett
    hmallett over 12 years
    I have added the source, but it's a real book, rathher than a link. I don't know where the equivalent information is available online.