Solved

Best practices for Domain Users group membership

Posted on 2013-12-13
5
945 Views
Last Modified: 2014-03-15
We have various resources where we want anyone in our domain to be able to access resources (file shares, etc) and each share has a group in active directory for read access and another for write access.

Some previous admins had added the Domain Users group as a member of the security group for the shares (roughly 200). Thus now through inheritance every user in our AD domain is a member of that security group (though it doesn't show explicitly in their MemberOf field).

We've been told that many users are having authentication issues due to their Kerberos token size being too small. On obvious solution is to increase everyone's in AD via a GPO.

However the question I have is this: what is the best practice for granting domain users access to shares without using the Everyone group. We don't want anonymous access or non-authenticated users. Should we simply use the "Authenticated Users" and make that a member of these shares security groups that control access? Or does that end up with the same effect as using Domain Users group?

Thanks!
0
Comment
Question by:DITGUY
  • 3
5 Comments
 
LVL 17

Expert Comment

by:pjam
ID: 39717246
I prefer a flat file server folder setup.  Each folder has a read write and and a read only (RO) Security Group.  No sub-folder security additions.
for example accounting & accounting RO security Groups and the folder accounting has those security groups added as well as Domain Admins.

If you start adding security in sub-folders it quickly gets complicated.
0
 

Author Comment

by:DITGUY
ID: 39717259
thanks pjam. but what if you have a thousand users and want everyone to have access. and you have hundreds of shares. do you literally add every user explicitly to the group for each share or do you make domain users or authenticated users group a member of that share's security group?
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 39717389
If you have a Company wide share that everyone needs to have access to (Read-Only) then adding Domain Users is acceptable. I would not be granting Domain Users permissions to directories or shares where they require modify or write permissions.

If other people need to have elevated privileges create your groups and add the associating members accordingly. NTFS permissions go by the highest ACL so even though someone is part of Domain Users and have Ready-only access if they are part of a group with higher ACL privileges then they will have the higher access level, with deny being the most authoritative.

This is why they have built-in groups so that you can use them in these situations and create your own specific groups when you want more granular access rights.

Will.
0
 

Accepted Solution

by:
DITGUY earned 0 total points
ID: 39727580
I think we're going to have to break our security model in cases where a share needs access by everyone. We'll have to grant Authenticated Users or Domain users at that level and not use a security group.
0
 

Author Closing Comment

by:DITGUY
ID: 39931055
authenticated users seems the safer way to avoid using domain users in cases where read-write access is required for all company employees. otherwise creating security groups for small subsets on other shares should be used.
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now