account management - large enterprises

Posted on 2011-04-19
Last Modified: 2012-05-11
Is there any general best practice to manage user permissions for windows security groups for departmental "movers"? How do you manage this in your companies (especially in large enterprises). For example user Y works in accounts, is a memeber of "company-accounts-team" group which is granted access to various directories on departmental file servers, they also have a couple of departmental mailboxes. When they move to payroll from accounts there accounts permissions are no longer acceptable, what do you do process wise to identify this and change permissions accordingly?
Question by:pma111
    LVL 9

    Accepted Solution

    Nothing more than making sure that the user is removed from the old security group and added to the new security group. I have kept a list of users and security group membership before. There are various snippets of code on the web that will list groups and membership.
    LVL 3

    Author Comment

    Is there like a management form they have to fill out to inform you though when a user moves role? How do you know otherwise that permissions are no longer valid?
    LVL 9

    Expert Comment

    Permissions are changed with group membership changes (The user will get the permissions from the new group and will no longer get permissions from the old group if they are removed).
    Departmental managers or similar would need to approve the request to move groups in writing. Depends on your organisation but obviously you will need some sort of confirmation that a user can move groups.

    Featured Post

    Free book by J.Peter Bruzzese, Microsoft MVP

    Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

    Join & Write a Comment

    Set OWA language and time zone in Exchange for individuals, all users or per database.
    Use email signature images to promote corporate certifications and industry awards.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now