Garry Shape
asked on
Any suggestions for Security Group OU structure in AD (Role based access)
I'm trying to think of an easy way without being over-complicated, to organize OU in AD to manage security groups.
Here's what I'm looking at now:
Does anyone else organize similar to that?
The idea of Groups > Access > File > Servers, would be that I create a security group called something like "ACL_Server1_inetpub_write ", and then add that group to have write access to C:\inetpub on "Server1".
Versus giving a user local Admin rights entirely to Server1.
Then I could have a Role Group called "Server1 Web Editors", which would be a member of ACL_Server1_inetpub_write.
Am I over-complicating Role Based Access, given this idea, OU structure and naming convention?
Here's what I'm looking at now:
Does anyone else organize similar to that?
The idea of Groups > Access > File > Servers, would be that I create a security group called something like "ACL_Server1_inetpub_write
Versus giving a user local Admin rights entirely to Server1.
Then I could have a Role Group called "Server1 Web Editors", which would be a member of ACL_Server1_inetpub_write.
Am I over-complicating Role Based Access, given this idea, OU structure and naming convention?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hey that's interesting. So it allows like editing the webpages?
The user was going to get RDP into the server, but this solution is a workaround to that?
The user was going to get RDP into the server, but this solution is a workaround to that?
ASKER
Also I'm not organizing OU by security group, I'm organizing Security Group by OU.
I will have other OU's for users and computers
I will have other OU's for users and computers
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The environment is school. Couple hundred staff, couple thousand student, ultimately. no security groups for the student body yet. I'm not sure if I need one for them. Im' thinking maybe just a "Student" security group, and Deny it logon access to staff computers.