U-G-DL-P on file servers vs. U-L-P

Posted on 2008-11-11
Medium Priority
Last Modified: 2012-06-27
First, this is not so much a question as I need help making an argument.  Here is the situation.

We have a file server with standalone DFS which points to shares on the same server (don't ask).  There are approximately 250 local groups defined on that server.  The NTFS permissions are assigned to those local groups.  The local groups contain a mix of Domain users and Domain security groups.  There server is home is to about 2 TB's of files (including home directories) and is not clustered or redundant.  Note that local users are not used, only local groups on this member server.  There are only about 50 folders with unique groups for defining permissions.  

Here is my problem.  

That server is about 4 and 1/2 years old and needs to be replaced.  The architect wants to build a single 2008 file server and continue to use standalone DFS and local groups.  I have the following problems with this:

1)  standalone DFS provides a single point of failure
2)  Local groups with direct user permissions require admin's to log-on to the server to update group membership
3)  Local groups restrict my ability to view a user's complete access list across the domain
4)  Failure of a single server brings down all home directories and all file shares for the corporate office.
5)  Users have tons of shortcuts to //server/share instead of the DFS.   These will break when we move servers.

My argument is going to be the following (and here is where I want you guys to poke holes in my theories or ask questions so I can be prepared).  

1)  No user will be a member of more than 120 security groups across the domain so I don't have XP SAM issues
2)  Dual file servers, replicated using DFS, and shared using domain based DFS provide redundant access should a server issue occur
3)  The use of active directory groups would allow admins to update without the need to log-on to the server
4)  Server migrations in the future become easier since you only have to add in another replicate/DFS root and take the old one off line
5)  AD groups would allow unified permissions reporting.
6)  In a dual server role one server could be primary for the files while the other is primary for the home directories.  They would be secondary to each other's primary roles
7)  Shortcuts are to domain dfs shares (\\domain\dfs\share) and do not break in a server change
8)  The uses the MS recommended U-G-DL-P model
9)  Domain based DFS can replicate Domain based group membership so no double admin duties are needed.

Question by:ChrisWillis
  • 2

Expert Comment

ID: 22931225
You can also argue that by switching to domain local groups, you will be able to easily delegate permission assignment duties to others.
Using local groups, the employee would need special privileges on the server to change group membership, giving him/her access to much more than what he/she would need. With domain local groups, you can assign strict permissions on the user account to add/remove members from the specified domain local groups.

Author Comment

ID: 22931849
agreed....If I could I would force the change that all the member servers use DL groups for everything including admin, but it's one battle at a time.  Instead they allow everyone to log-on to all servers but domain controllers.  That means I have some idiot help desk people with local admin access to our only file server.....imagine the warm fuzzy I get from that.

Accepted Solution

SweetJ21 earned 1000 total points
ID: 22932968
That sounds like a problem just waiting to happen.

From your listed points, you've got a pretty solid base for your argument. I can't think of anything else to add, or see any issues with your points.

You should have a quick look through your company's data security policy (or similar) if you have one. The current configuration would almost definitely be a breach of the policy, and should help your case.

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question