DITGUY
asked on
Best practices for Domain Users group membership
We have various resources where we want anyone in our domain to be able to access resources (file shares, etc) and each share has a group in active directory for read access and another for write access.
Some previous admins had added the Domain Users group as a member of the security group for the shares (roughly 200). Thus now through inheritance every user in our AD domain is a member of that security group (though it doesn't show explicitly in their MemberOf field).
We've been told that many users are having authentication issues due to their Kerberos token size being too small. On obvious solution is to increase everyone's in AD via a GPO.
However the question I have is this: what is the best practice for granting domain users access to shares without using the Everyone group. We don't want anonymous access or non-authenticated users. Should we simply use the "Authenticated Users" and make that a member of these shares security groups that control access? Or does that end up with the same effect as using Domain Users group?
Thanks!
Some previous admins had added the Domain Users group as a member of the security group for the shares (roughly 200). Thus now through inheritance every user in our AD domain is a member of that security group (though it doesn't show explicitly in their MemberOf field).
We've been told that many users are having authentication issues due to their Kerberos token size being too small. On obvious solution is to increase everyone's in AD via a GPO.
However the question I have is this: what is the best practice for granting domain users access to shares without using the Everyone group. We don't want anonymous access or non-authenticated users. Should we simply use the "Authenticated Users" and make that a member of these shares security groups that control access? Or does that end up with the same effect as using Domain Users group?
Thanks!
ASKER
thanks pjam. but what if you have a thousand users and want everyone to have access. and you have hundreds of shares. do you literally add every user explicitly to the group for each share or do you make domain users or authenticated users group a member of that share's security group?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
authenticated users seems the safer way to avoid using domain users in cases where read-write access is required for all company employees. otherwise creating security groups for small subsets on other shares should be used.
for example accounting & accounting RO security Groups and the folder accounting has those security groups added as well as Domain Admins.
If you start adding security in sub-folders it quickly gets complicated.