Re: Groups best practices
From: Marin Marinov (mlmarinov_at_askme.ca)
Date: 05/13/04
- Next message: Marin Marinov: "Re: Auditing on single user object? How?"
- Previous message: Joe Richards [MVP]: "Re: Parent and child workstations use same IP range"
- In reply to: SA: "Groups best practices"
- Next in thread: SA: "Re: Groups best practices"
- Reply: SA: "Re: Groups best practices"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 13 May 2004 13:05:34 -0400
In article <eOqJXbQOEHA.3924@TK2MSFTNGP09.phx.gbl>, nospam@nospam.nospam
says...
>
> I am trying to decide how to assign user permissions to shares on computer.
> SHould I use Global groups or put Global groups into local groups and then
> assgin the permissions.
> The second approach seems complex and cumbersome to me and would like to
> avoid it if at all possible.
>
> -SA.
I assume this computer is a domain member since you post in this
newsgroup ;) A best practice for a single domain is using the A G Dl P
strategy - put Accounts into Global groups, Global into Domain Local,
and grant Permissions at the resource to Domain Local group. It has
proven to be the most flexible in the long run. Since the machine is a
member of a Win2K or higher domain, forget about local groups for
granting access to resources - the AGLP strategy was used in NT 4.0 but
with Domain Local groups it's no longer justified.
HTH
-- Cheers, Marin Marinov MCT, MCSE 2003/2000/NT4.0, MCSE:Security 2003/2000, MCP+I - This posting is provided "AS IS" with no warranties, and confers no rights.
- Next message: Marin Marinov: "Re: Auditing on single user object? How?"
- Previous message: Joe Richards [MVP]: "Re: Parent and child workstations use same IP range"
- In reply to: SA: "Groups best practices"
- Next in thread: SA: "Re: Groups best practices"
- Reply: SA: "Re: Groups best practices"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
