Manage AD Groups/File Shares

markevans5 · 2015-05-19T12:34:29.000Z

The company I’m currently at doesn’t have any real policies around network groups for directory access and what not. The Help Desk just creates groups willy-nilly and it is like the Wild-Wild West here. Needless to say, it makes my life in trying to get Role-based security setup hell. I’m looking for insight on how other companies/security departments manage groups. Who creates? Manages? Approves? etc. Thanks!

stickman00 · 2015-05-19T12:56:20.000Z

Really depends on size of company/IT staff, but I would never allow Help Desk staff that power. In one place I worked (80,000+ users, mind you), there was a department specifically tasked with User Administration. Where I am at now, my team handles this, a role reserved for only Domain Admins. One thing is for certain, if there isn’t a clearly defined structure and vision for what it should look like, it will go to poopy really fast, and it is a nightmare trying to untangle it afterwards. Good luck!

markevans5 · 2015-05-19T13:01:17.000Z

Yeah. It is a nightmare! We have about 600 employees and a Helpdesk of 2 people.

stephensennett · 2015-05-19T14:02:45.000Z

All comes down to your organization. If RBAC is in place, who understands the structure of the setup? Are there any relevant stakeholders (IT management, business managers, etc.) who should be consulted when the security structure is modified? Who has the appropriate security permissions to create the groups?

georgemcfarlin · 2015-05-19T14:05:45.000Z

So you and one other person are setting up AD groups?

markevans5 · 2015-05-19T14:13:09.000Z

No, 2 people in the Help Desk doing the groups. I’m a new addition to the companies infant Security team and trying to get my head around best practices and what other companies do.

bfox · 2015-05-19T14:54:13.000Z

Your network Administrator should be the owner of all things Active Directory including groups and users. Help desk personnel are usually only permitted to change attributes of a user like address, name and reset passwords.

For ever file share I have protected I have a group that gives permissions to it. Every share (and subfolder if they are also restricted) has their own group.

I also have Classification groups like Finance, Teachers, Students, etc… I nest these groups in my file share groups to grant access to the folders.

Bud-G · 2015-05-20T00:56:44.000Z

Groups were decided long ago. It’s functional groups. So if you are a technical writer, you have full access to the Technical Writer drive. Others, non-writers, may be given read access. By default, unless you have a reason to be a part of the group, then by default you are denied.

Who gets what is initially defined by their respective manager. Someone outside of accounting may not need to see the accounting share. But if they or their manager says they do, then the manager of the accounting share has to bless it. And we need our paper trail for the ticket.