Guest RichGK Posted April 14, 2008 Posted April 14, 2008 At work they have been doing a method of security for a long time (described below) and the manager is adamant that this is the way it should be done. I suspect that it stems from the NT4 days and with everything on the network now 2000+ and the domain at 2000 functional level I don't think we need to do it so complicated. His way. A folder shared on the file & print server has a local group in it's ACL (for example "The local group"). Then in AD another group is created (e.g. "The AD group") and is added as a member of the "The Local Group" Users are then added as member to "The AD group". Now I prefer to simply add "The AD group" directly to the shared folder on the F&P server, but when the manager discovers he instructs me to do it the other way. Is there a good reason for doing it the other way? Thanks! Rich.
Guest Lanwench [MVP - Exchange] Posted April 14, 2008 Posted April 14, 2008 Re: Best practice for local folder security RichGK <RichGK@hotmail.co.uk> wrote: > At work they have been doing a method of security for a long time > (described below) and the manager is adamant that this is the way it > should be done. I suspect that it stems from the NT4 days and with > everything on the network now 2000+ and the domain at 2000 functional > level I don't think we need to do it so complicated. > > His way. > A folder shared on the file & print server has a local group in it's > ACL (for example "The local group"). > Then in AD another group is created (e.g. "The AD group") and is added > as a member of the "The Local Group" > Users are then added as member to "The AD group". > > Now I prefer to simply add "The AD group" directly to the shared > folder on the F&P server, but when the manager discovers he instructs > me to do it the other way. > > Is there a good reason for doing it the other way? > > Thanks! > Rich. If this is a member server, I'd do it your way (with a universal security group). You're not going to have any local users accessing this, right? Only domain users. So, why not keepthings simple & have only one group you care about?
Guest AllenM Posted April 14, 2008 Posted April 14, 2008 Re: Best practice for local folder security That's why he is the manager. He is correct. This does stem back from the NT best practices days however it still applies. Why? First of all and most importantly is centralized administration. All administration can be dome from any AD server. Plus it keeps the folder security clean so you don't see all those SID's and accounts unknown remnants when you view NTFS folder permissions. "RichGK" <RichGK@hotmail.co.uk> wrote in message news:38a76f14-c46f-49b4-b27f-2272c75343bf@r9g2000prd.googlegroups.com... > At work they have been doing a method of security for a long time > (described below) and the manager is adamant that this is the way it > should be done. I suspect that it stems from the NT4 days and with > everything on the network now 2000+ and the domain at 2000 functional > level I don't think we need to do it so complicated. > > His way. > A folder shared on the file & print server has a local group in it's > ACL (for example "The local group"). > Then in AD another group is created (e.g. "The AD group") and is added > as a member of the "The Local Group" > Users are then added as member to "The AD group". > > Now I prefer to simply add "The AD group" directly to the shared > folder on the F&P server, but when the manager discovers he instructs > me to do it the other way. > > Is there a good reason for doing it the other way? > > Thanks! > Rich.
Guest RichGK Posted April 15, 2008 Posted April 15, 2008 Re: Best practice for local folder security On 14 Apr, 18:51, "AllenM" <nore...@NoEmail.com> wrote: > That's why he is the manager. He is correct. This does stem back from the NT > best practices days however it still applies. Why? First of all and most > importantly is centralized administration. All administration can be dome > from any AD server. Plus it keeps the folder security clean so you don't see > all those SID's and accounts unknown remnants when you view NTFS folder > permissions. Surely you only see SIDs in an ACL if a domain controller can't be contacted? Also, can you explain what you mean by all administration can be done from any AD server? As it looks to me that this also applies to the other method (especially if you are using remote desktop). I'm not arguing BTW, just want to understand this as I'm studying for the MCSA.
Guest AllenM Posted April 15, 2008 Posted April 15, 2008 Re: Best practice for local folder security OK if it is information to obtain regarding what they would be asking you on cert test then you are best to go with sing local groups and populating them with domain global or unicersal groups. What I mean by "Plus it keeps the folder security clean so you don't see all those SID's and accounts unknown remnants when you view NTFS folder permissions." Let's say you have a domain group applied to a folder on a local server NTFS permissions. What happens when you "delete" this group from AD? Go back and look at the folders NTFS permissions and you will see what I mean. The group no longer exists so it cannot be resolved and you end up with those SID remnents. Now if you used local groups populated with domain global groups and you delete that global group you see no garbage. "RichGK" <RichGK@hotmail.co.uk> wrote in message news:ae6ebc36-9705-46bc-a407-ef3ab53472e4@y21g2000hsf.googlegroups.com... > On 14 Apr, 18:51, "AllenM" <nore...@NoEmail.com> wrote: >> That's why he is the manager. He is correct. This does stem back from the >> NT >> best practices days however it still applies. Why? First of all and most >> importantly is centralized administration. All administration can be dome >> from any AD server. Plus it keeps the folder security clean so you don't >> see >> all those SID's and accounts unknown remnants when you view NTFS folder >> permissions. > > Surely you only see SIDs in an ACL if a domain controller can't be > contacted? Also, can you explain what you mean by all administration > can be done from any AD server? As it looks to me that this also > applies to the other method (especially if you are using remote > desktop). > > I'm not arguing BTW, just want to understand this as I'm studying for > the MCSA.
Recommended Posts