U-G-DL-P on file servers vs. U-L-P

Posted on 2008-11-11
Last Modified: 2012-06-27
First, this is not so much a question as I need help making an argument.  Here is the situation.

We have a file server with standalone DFS which points to shares on the same server (don't ask).  There are approximately 250 local groups defined on that server.  The NTFS permissions are assigned to those local groups.  The local groups contain a mix of Domain users and Domain security groups.  There server is home is to about 2 TB's of files (including home directories) and is not clustered or redundant.  Note that local users are not used, only local groups on this member server.  There are only about 50 folders with unique groups for defining permissions.  

Here is my problem.  

That server is about 4 and 1/2 years old and needs to be replaced.  The architect wants to build a single 2008 file server and continue to use standalone DFS and local groups.  I have the following problems with this:

1)  standalone DFS provides a single point of failure
2)  Local groups with direct user permissions require admin's to log-on to the server to update group membership
3)  Local groups restrict my ability to view a user's complete access list across the domain
4)  Failure of a single server brings down all home directories and all file shares for the corporate office.
5)  Users have tons of shortcuts to //server/share instead of the DFS.   These will break when we move servers.

My argument is going to be the following (and here is where I want you guys to poke holes in my theories or ask questions so I can be prepared).  

1)  No user will be a member of more than 120 security groups across the domain so I don't have XP SAM issues
2)  Dual file servers, replicated using DFS, and shared using domain based DFS provide redundant access should a server issue occur
3)  The use of active directory groups would allow admins to update without the need to log-on to the server
4)  Server migrations in the future become easier since you only have to add in another replicate/DFS root and take the old one off line
5)  AD groups would allow unified permissions reporting.
6)  In a dual server role one server could be primary for the files while the other is primary for the home directories.  They would be secondary to each other's primary roles
7)  Shortcuts are to domain dfs shares (\\domain\dfs\share) and do not break in a server change
8)  The uses the MS recommended U-G-DL-P model
9)  Domain based DFS can replicate Domain based group membership so no double admin duties are needed.

Question by:ChrisWillis
    LVL 3

    Expert Comment

    You can also argue that by switching to domain local groups, you will be able to easily delegate permission assignment duties to others.
    Using local groups, the employee would need special privileges on the server to change group membership, giving him/her access to much more than what he/she would need. With domain local groups, you can assign strict permissions on the user account to add/remove members from the specified domain local groups.
    LVL 1

    Author Comment

    agreed....If I could I would force the change that all the member servers use DL groups for everything including admin, but it's one battle at a time.  Instead they allow everyone to log-on to all servers but domain controllers.  That means I have some idiot help desk people with local admin access to our only file server.....imagine the warm fuzzy I get from that.
    LVL 3

    Accepted Solution

    That sounds like a problem just waiting to happen.

    From your listed points, you've got a pretty solid base for your argument. I can't think of anything else to add, or see any issues with your points.

    You should have a quick look through your company's data security policy (or similar) if you have one. The current configuration would almost definitely be a breach of the policy, and should help your case.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now