Solved

Any suggestions for Security Group OU structure in AD (Role based access)

Posted on 2016-07-29
6
77 Views
Last Modified: 2016-08-04
I'm trying to think of an easy way without being over-complicated, to organize OU in AD to manage security groups.
Here's what I'm looking at now:
partial OU screenshot
Does anyone else organize similar to that?

The idea of Groups > Access > File > Servers, would be that I create a security group called something like "ACL_Server1_inetpub_write", and then add that group to have write access to C:\inetpub on "Server1".
Versus giving a user local Admin rights entirely to Server1.

Then I could have a Role Group called "Server1 Web Editors", which would be a member of ACL_Server1_inetpub_write.
Am I over-complicating Role Based Access, given this idea, OU structure and naming convention?
0
Comment
Question by:garryshape
  • 3
  • 3
6 Comments
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 500 total points
ID: 41735345
You really don't want to be organizing your AD OU's by security group.  That would be difficult to manage in the long term.

In order to give you advice though, it would be helpful to know more about your environment.  How many users, what industry, how many physical locations?
0
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 500 total points
ID: 41735348
By the way -- you never have to give a user local administrator rights on a server for them to manage IIS.

Instead, they just need to install the IIS Management Console on their own computer.

http://www.iis.net/downloads/microsoft/iis-manager

And if it's IIS 8, see this how-to:  http://www.sherweb.com/blog/configure-iis-8-remote-administration/
0
 

Author Comment

by:garryshape
ID: 41735349
I got the idea from this video, at this timestamp you can see a similar OU structure; https://youtu.be/vvhwN5bOyV8?t=1370   

The environment is school. Couple hundred staff, couple thousand student, ultimately. no security groups for the student body yet. I'm not sure if I need one for them. Im' thinking maybe just a "Student" security group, and Deny it logon access to staff computers.
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 

Author Comment

by:garryshape
ID: 41735352
Hey that's interesting. So it allows like editing the webpages?
The user was going to get RDP into the server, but this solution is a workaround to that?
0
 

Author Comment

by:garryshape
ID: 41735391
Also I'm not organizing OU by security group, I'm organizing Security Group by OU.  
I will have other OU's for users and computers
0
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 500 total points
ID: 41743474
Hey that's interesting. So it allows like editing the webpages?
The user was going to get RDP into the server, but this solution is a workaround to that?

Yes.  There is no reason for someone who just needs to administer IIS and web sites to have full access to the entire server.  They can install the IIS Admin Tools on their own computer, connect to the web server and do whatever they need to do within the confines of IIS.

So, I fully understand where you got the idea -- but I think -- as you had also thought -- Role Based Access may actually over-complicate things for you.  I don't think that your scenario will benefit that much from RBAC.  Especially now that you know about things like IIS Remote Management.  

Basic security groups coupled with a well managed Group Policy should provide you with everything you need to keep things under control.  

One thing to remember is that the more complex something is to manage, the less likely it will be managed at all.
1

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Destination host unreachable 12 69
Super Scope, DHCP 5 53
block folder inheritance 4 35
Big Problem with Redirected Folder 8 7
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now