U-G-DL-P on file servers vs. U-L-P

First, this is not so much a question as I need help making an argument.  Here is the situation.

We have a file server with standalone DFS which points to shares on the same server (don't ask).  There are approximately 250 local groups defined on that server.  The NTFS permissions are assigned to those local groups.  The local groups contain a mix of Domain users and Domain security groups.  There server is home is to about 2 TB's of files (including home directories) and is not clustered or redundant.  Note that local users are not used, only local groups on this member server.  There are only about 50 folders with unique groups for defining permissions.  

Here is my problem.  

That server is about 4 and 1/2 years old and needs to be replaced.  The architect wants to build a single 2008 file server and continue to use standalone DFS and local groups.  I have the following problems with this:

1)  standalone DFS provides a single point of failure
2)  Local groups with direct user permissions require admin's to log-on to the server to update group membership
3)  Local groups restrict my ability to view a user's complete access list across the domain
4)  Failure of a single server brings down all home directories and all file shares for the corporate office.
5)  Users have tons of shortcuts to //server/share instead of the DFS.   These will break when we move servers.

My argument is going to be the following (and here is where I want you guys to poke holes in my theories or ask questions so I can be prepared).  

1)  No user will be a member of more than 120 security groups across the domain so I don't have XP SAM issues
2)  Dual file servers, replicated using DFS, and shared using domain based DFS provide redundant access should a server issue occur
3)  The use of active directory groups would allow admins to update without the need to log-on to the server
4)  Server migrations in the future become easier since you only have to add in another replicate/DFS root and take the old one off line
5)  AD groups would allow unified permissions reporting.
6)  In a dual server role one server could be primary for the files while the other is primary for the home directories.  They would be secondary to each other's primary roles
7)  Shortcuts are to domain dfs shares (\\domain\dfs\share) and do not break in a server change
8)  The uses the MS recommended U-G-DL-P model
9)  Domain based DFS can replicate Domain based group membership so no double admin duties are needed.

LVL 1
ChrisWillisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SweetJ21Commented:
You can also argue that by switching to domain local groups, you will be able to easily delegate permission assignment duties to others.
Using local groups, the employee would need special privileges on the server to change group membership, giving him/her access to much more than what he/she would need. With domain local groups, you can assign strict permissions on the user account to add/remove members from the specified domain local groups.
0
ChrisWillisAuthor Commented:
agreed....If I could I would force the change that all the member servers use DL groups for everything including admin, but it's one battle at a time.  Instead they allow everyone to log-on to all servers but domain controllers.  That means I have some idiot help desk people with local admin access to our only file server.....imagine the warm fuzzy I get from that.
0
SweetJ21Commented:
That sounds like a problem just waiting to happen.

From your listed points, you've got a pretty solid base for your argument. I can't think of anything else to add, or see any issues with your points.

You should have a quick look through your company's data security policy (or similar) if you have one. The current configuration would almost definitely be a breach of the policy, and should help your case.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.