Solved

Best practices for Domain Users group membership

Posted on 2013-12-13
5
1,004 Views
Last Modified: 2014-03-15
We have various resources where we want anyone in our domain to be able to access resources (file shares, etc) and each share has a group in active directory for read access and another for write access.

Some previous admins had added the Domain Users group as a member of the security group for the shares (roughly 200). Thus now through inheritance every user in our AD domain is a member of that security group (though it doesn't show explicitly in their MemberOf field).

We've been told that many users are having authentication issues due to their Kerberos token size being too small. On obvious solution is to increase everyone's in AD via a GPO.

However the question I have is this: what is the best practice for granting domain users access to shares without using the Everyone group. We don't want anonymous access or non-authenticated users. Should we simply use the "Authenticated Users" and make that a member of these shares security groups that control access? Or does that end up with the same effect as using Domain Users group?

Thanks!
0
Comment
Question by:DITGUY
  • 3
5 Comments
 
LVL 17

Expert Comment

by:pjam
ID: 39717246
I prefer a flat file server folder setup.  Each folder has a read write and and a read only (RO) Security Group.  No sub-folder security additions.
for example accounting & accounting RO security Groups and the folder accounting has those security groups added as well as Domain Admins.

If you start adding security in sub-folders it quickly gets complicated.
0
 

Author Comment

by:DITGUY
ID: 39717259
thanks pjam. but what if you have a thousand users and want everyone to have access. and you have hundreds of shares. do you literally add every user explicitly to the group for each share or do you make domain users or authenticated users group a member of that share's security group?
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 39717389
If you have a Company wide share that everyone needs to have access to (Read-Only) then adding Domain Users is acceptable. I would not be granting Domain Users permissions to directories or shares where they require modify or write permissions.

If other people need to have elevated privileges create your groups and add the associating members accordingly. NTFS permissions go by the highest ACL so even though someone is part of Domain Users and have Ready-only access if they are part of a group with higher ACL privileges then they will have the higher access level, with deny being the most authoritative.

This is why they have built-in groups so that you can use them in these situations and create your own specific groups when you want more granular access rights.

Will.
0
 

Accepted Solution

by:
DITGUY earned 0 total points
ID: 39727580
I think we're going to have to break our security model in cases where a share needs access by everyone. We'll have to grant Authenticated Users or Domain users at that level and not use a security group.
0
 

Author Closing Comment

by:DITGUY
ID: 39931055
authenticated users seems the safer way to avoid using domain users in cases where read-write access is required for all company employees. otherwise creating security groups for small subsets on other shares should be used.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question