Managing Security Groups as Distribution Lists

Discussion in 'Active Directory' started by Nir B, Nov 3, 2005.

  1. Nir B

    Nir B Guest

    Hi All,

    We have Active Directory (Windows 2000)
    Each folder on my file server have folder owner and 3 corresponded groups
    (Group Scope = Global, Group type = Security):
    Folder Name Read Only
    Folder Name Read Write
    Folder Name Read Write Delete

    When user want permission to specific folder he call the HD and the HD is
    checking with the owner of the folder what permission to give him, and add
    him to the appropriate groups.
    I want to reduce the overhead and move the all workflow to the owner
    responsibility.
    I thought to do the following:
    -Add these groups E-Mail Address (do be available as DL)
    - set the folder owner as the owner of his corresponded groups
    - Learn the owner how to modify members via the Outlook

    What thinks I need to take into account in such configuration?
    Is there better way / product to move the all management cycle to the folder
    owner?

    Thanks,

    Nir
     
    Nir B, Nov 3, 2005
    #1
    1. Advertisements

  2. Nir B

    Paul Bergson Guest

    It might be easier if you just gave everyone administrative access to
    everything, then you wouldn't have to worry about setting any permissions at
    all. Seriously though, you want to have some type of centralized control of
    permissions. Using distribution groups as controlling points isn't
    something to me that sounds very good.

    Can't you delegate a small group of users the management of these groups and
    allow them to manage the security groups. Once you start the whole sale
    provision of others to manage there own permissions they start doing crazy
    and stupid things and you are left with going back and fixing them. This is
    going to take a lot more time than just setting up the permissions.

    We do something very similar to what you do but our help desk/work station
    support has manage group membership on these groups after we create them and
    provide permissions to the files and folders.

    Use security groups for security and use distribution groups for
    distribution.

    --


    Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson, Nov 3, 2005
    #2
    1. Advertisements

  3. Nir B

    Nir B Guest

    Hi Paul,

    You didn't understand what I wroth here is the clarification:
    I (system group) create the 3 groups and give them the appropriate
    permissions on the folder, the owner get only Read Write Delete permissions
    and not full control, so he can't give permissions to other users by going
    to the folder and add them directly, the only option to ass permissions on
    this folder is by adding the user to the right group, so I have full
    control.
    I want to save the HD time and give the user (owner) the ability to manage
    the groups related to his folder only (anyway the HD give the permissions
    that the owner tell them to give...)

    Nir
     
    Nir B, Nov 3, 2005
    #3
  4. Nir B

    Paul Bergson Guest

    Yeah I guess I'm totally confused because you can't use a distribution group
    as a way to manage permissions on a resource. You can though send e-mail to
    a security group.

    --


    Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson, Nov 3, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.