Best Practice

  • Thread starter Thread starter chad
  • Start date Start date
C

chad

Our Active Directory structure has users broken up by department. One
department wants its own server that only they have access to. They
want their My Docs folder redirected there, and an area for dumping
common files. My question is, should security groups be created by
department? I could create department X with the same rights they have
now, but only with X's members. Then I could redirect folders based on
groups. Is this a good practice?
 
Hi Chad,

You will usually want to use an OU for a logical management division in
your AD tree. This is a collection of Users, Groups, and Computers that
have a common GPO. Security groups are for setting permissions to
specific resources in the domain. That being said, if you are
segmenting users for the accounting department into a specific OU, you
will often have a security group containing these objects to handle
permissions or to do GPO filtering (again by permissions).

Redirecting folders based on security group is often done and works
well. I would caution you in your corporate culture of a department
having its "own" server. It certainly makes sense to have resources
matched to business units, but when they start to feel ownership of the
resource, an environment can be created that will take the security and
management away from the experts in that area.

The best scenario here is to work with them to define their needs and
help them come to a reasonable set of expectations of how the IT
resources will meet their defined business needs -- that means in
writing.

As always, the technology is the easy part.

Ryan Hanisco
FlagShip Integration Services
 
Thanks, Ryan.
Ryan said:
Hi Chad,

You will usually want to use an OU for a logical management division in
your AD tree. This is a collection of Users, Groups, and Computers that
have a common GPO. Security groups are for setting permissions to
specific resources in the domain. That being said, if you are
segmenting users for the accounting department into a specific OU, you
will often have a security group containing these objects to handle
permissions or to do GPO filtering (again by permissions).

Redirecting folders based on security group is often done and works
well. I would caution you in your corporate culture of a department
having its "own" server. It certainly makes sense to have resources
matched to business units, but when they start to feel ownership of the
resource, an environment can be created that will take the security and
management away from the experts in that area.

The best scenario here is to work with them to define their needs and
help them come to a reasonable set of expectations of how the IT
resources will meet their defined business needs -- that means in
writing.

As always, the technology is the easy part.

Ryan Hanisco
FlagShip Integration Services
Click to expand...
 
Back
Top