Best practice for local folder security

  • Thread starter Thread starter RichGK
  • Start date Start date
R

RichGK

Guest
At work they have been doing a method of security for a long time
(described below) and the manager is adamant that this is the way it
should be done. I suspect that it stems from the NT4 days and with
everything on the network now 2000+ and the domain at 2000 functional
level I don't think we need to do it so complicated.

His way.
A folder shared on the file & print server has a local group in it's
ACL (for example "The local group").
Then in AD another group is created (e.g. "The AD group") and is added
as a member of the "The Local Group"
Users are then added as member to "The AD group".

Now I prefer to simply add "The AD group" directly to the shared
folder on the F&P server, but when the manager discovers he instructs
me to do it the other way.

Is there a good reason for doing it the other way?

Thanks!
Rich.
 
Re: Best practice for local folder security

RichGK <RichGK@hotmail.co.uk> wrote:
> At work they have been doing a method of security for a long time
> (described below) and the manager is adamant that this is the way it
> should be done. I suspect that it stems from the NT4 days and with
> everything on the network now 2000+ and the domain at 2000 functional
> level I don't think we need to do it so complicated.
>
> His way.
> A folder shared on the file & print server has a local group in it's
> ACL (for example "The local group").
> Then in AD another group is created (e.g. "The AD group") and is added
> as a member of the "The Local Group"
> Users are then added as member to "The AD group".
>
> Now I prefer to simply add "The AD group" directly to the shared
> folder on the F&P server, but when the manager discovers he instructs
> me to do it the other way.
>
> Is there a good reason for doing it the other way?
>
> Thanks!
> Rich.

If this is a member server, I'd do it your way (with a universal security
group). You're not going to have any local users accessing this, right? Only
domain users. So, why not keepthings simple & have only one group you care
about?
 
Re: Best practice for local folder security

That's why he is the manager. He is correct. This does stem back from the NT
best practices days however it still applies. Why? First of all and most
importantly is centralized administration. All administration can be dome
from any AD server. Plus it keeps the folder security clean so you don't see
all those SID's and accounts unknown remnants when you view NTFS folder
permissions.

"RichGK" <RichGK@hotmail.co.uk> wrote in message
news:38a76f14-c46f-49b4-b27f-2272c75343bf@r9g2000prd.googlegroups.com...
> At work they have been doing a method of security for a long time
> (described below) and the manager is adamant that this is the way it
> should be done. I suspect that it stems from the NT4 days and with
> everything on the network now 2000+ and the domain at 2000 functional
> level I don't think we need to do it so complicated.
>
> His way.
> A folder shared on the file & print server has a local group in it's
> ACL (for example "The local group").
> Then in AD another group is created (e.g. "The AD group") and is added
> as a member of the "The Local Group"
> Users are then added as member to "The AD group".
>
> Now I prefer to simply add "The AD group" directly to the shared
> folder on the F&P server, but when the manager discovers he instructs
> me to do it the other way.
>
> Is there a good reason for doing it the other way?
>
> Thanks!
> Rich.
 
Re: Best practice for local folder security

On 14 Apr, 18:51, "AllenM" <nore...@NoEmail.com> wrote:
> That's why he is the manager. He is correct. This does stem back from the NT
> best practices days however it still applies. Why? First of all and most
> importantly is centralized administration. All administration can be dome
> from any AD server. Plus it keeps the folder security clean so you don't see
> all those SID's and accounts unknown remnants when you view NTFS folder
> permissions.

Surely you only see SIDs in an ACL if a domain controller can't be
contacted? Also, can you explain what you mean by all administration
can be done from any AD server? As it looks to me that this also
applies to the other method (especially if you are using remote
desktop).

I'm not arguing BTW, just want to understand this as I'm studying for
the MCSA.
 
Re: Best practice for local folder security

OK if it is information to obtain regarding what they would be asking you on
cert test then you are best to go with sing local groups and populating them
with domain global or unicersal groups.

What I mean by "Plus it keeps the folder security clean so you don't see all
those SID's and accounts unknown remnants when you view NTFS folder
permissions." Let's say you have a domain group applied to a folder on a
local server NTFS permissions. What happens when you "delete" this group
from AD? Go back and look at the folders NTFS permissions and you will see
what I mean. The group no longer exists so it cannot be resolved and you end
up with those SID remnents. Now if you used local groups populated with
domain global groups and you delete that global group you see no garbage.

"RichGK" <RichGK@hotmail.co.uk> wrote in message
news:ae6ebc36-9705-46bc-a407-ef3ab53472e4@y21g2000hsf.googlegroups.com...
> On 14 Apr, 18:51, "AllenM" <nore...@NoEmail.com> wrote:
>> That's why he is the manager. He is correct. This does stem back from the
>> NT
>> best practices days however it still applies. Why? First of all and most
>> importantly is centralized administration. All administration can be dome
>> from any AD server. Plus it keeps the folder security clean so you don't
>> see
>> all those SID's and accounts unknown remnants when you view NTFS folder
>> permissions.
>
> Surely you only see SIDs in an ACL if a domain controller can't be
> contacted? Also, can you explain what you mean by all administration
> can be done from any AD server? As it looks to me that this also
> applies to the other method (especially if you are using remote
> desktop).
>
> I'm not arguing BTW, just want to understand this as I'm studying for
> the MCSA.
 
Back
Top