Solved

Best practices for Domain Users group membership

Posted on 2013-12-13
5
960 Views
Last Modified: 2014-03-15
We have various resources where we want anyone in our domain to be able to access resources (file shares, etc) and each share has a group in active directory for read access and another for write access.

Some previous admins had added the Domain Users group as a member of the security group for the shares (roughly 200). Thus now through inheritance every user in our AD domain is a member of that security group (though it doesn't show explicitly in their MemberOf field).

We've been told that many users are having authentication issues due to their Kerberos token size being too small. On obvious solution is to increase everyone's in AD via a GPO.

However the question I have is this: what is the best practice for granting domain users access to shares without using the Everyone group. We don't want anonymous access or non-authenticated users. Should we simply use the "Authenticated Users" and make that a member of these shares security groups that control access? Or does that end up with the same effect as using Domain Users group?

Thanks!
0
Comment
Question by:DITGUY
  • 3
5 Comments
 
LVL 17

Expert Comment

by:pjam
ID: 39717246
I prefer a flat file server folder setup.  Each folder has a read write and and a read only (RO) Security Group.  No sub-folder security additions.
for example accounting & accounting RO security Groups and the folder accounting has those security groups added as well as Domain Admins.

If you start adding security in sub-folders it quickly gets complicated.
0
 

Author Comment

by:DITGUY
ID: 39717259
thanks pjam. but what if you have a thousand users and want everyone to have access. and you have hundreds of shares. do you literally add every user explicitly to the group for each share or do you make domain users or authenticated users group a member of that share's security group?
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 39717389
If you have a Company wide share that everyone needs to have access to (Read-Only) then adding Domain Users is acceptable. I would not be granting Domain Users permissions to directories or shares where they require modify or write permissions.

If other people need to have elevated privileges create your groups and add the associating members accordingly. NTFS permissions go by the highest ACL so even though someone is part of Domain Users and have Ready-only access if they are part of a group with higher ACL privileges then they will have the higher access level, with deny being the most authoritative.

This is why they have built-in groups so that you can use them in these situations and create your own specific groups when you want more granular access rights.

Will.
0
 

Accepted Solution

by:
DITGUY earned 0 total points
ID: 39727580
I think we're going to have to break our security model in cases where a share needs access by everyone. We'll have to grant Authenticated Users or Domain users at that level and not use a security group.
0
 

Author Closing Comment

by:DITGUY
ID: 39931055
authenticated users seems the safer way to avoid using domain users in cases where read-write access is required for all company employees. otherwise creating security groups for small subsets on other shares should be used.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now