documenting purpose of AD security groups

Are there any specific best practices you follow when documenting security groups in AD, e.g. what membership of such a group actually permits? Without having to dig through file servers etc a group name on its own is not of much use. So I wondered what type of information you record about each security group, and where you store that information.
LVL 3
pma111Asked:
Who is Participating?
 
arnoldCommented:
The group name and description should be detailed and should convey its purpose.
The other option is to have a naming convention.
The scope of your need might be more elaborate that would be included in your environments documentation, possibly using Visio or similar rendering.
1
 
AlanConsultantCommented:
Hi,

I always try to enforce a naming convention, with the end of the name being 'free form' to give more information on purpose etc.

I also try to make extensive notes in the 'notes' section of the group properties in AD, including always:

Date / Time:  Who created or amended / Detailed notes on why the group was created, and I put new notes at the top.

For example:


20171107-2140 (Alan):  Added John Smith per email from Edna Jones (HR Manager) (20171107 - 1054 - Please add John to HR group.msg)

20170131-1345 (Alan):  Group created to give access to //ServerName/ShareName/HR folder

I also file emails in folders (network drives, as well as in Exchange), hence the reference to an msg file, but that could easily be a scan of a hardcopy form, or a fax (rare these days), or a voice recording.


I have been very grateful to my past self numerous times for the notes I created at the time!


Alan.
0
 
Pete LongTechnical ConsultantCommented:
I name all mine

GP-U-{sensible name}
GP-G-{sensible name}
GP-D-{sensible name}

For universal - global and domain local and I put something descriptive in the 'description' field, as that's whats visible when you browse AD

i.e. 'Group for read only access to folder xyzy created xx/xx/xx by PeteLong'

Also I don't use spaces so things are a bit easier If I need to script anything!

P
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
Reduce groups by using role groups and delegation groups
https://www.experts-exchange.com/articles/29366/Delegation-the-proper-way.html
0
 
AlanConsultantCommented:
Good advice offered
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.