1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Following Best Practices Help

Discussion in 'Training & Development' started by michael78, Mar 23, 2011.

  1. michael78

    michael78 Terabyte Poster

    2,085
    29
    141
    Guys for following best practice especially on MS products what does everyone follow or how do you find out best practice? Do you use whitepapers on technet? Reason I ask is I always thought I knew say AD pretty well and all the companies I've worked for have pretty much set AD up the way I've always been used to using it. Now I'm working for a new manager who is heavily into best practice and I was told the way I've always setup groups for NTFS permissions isn't best practice. This got me thinking that whilst I've done my AD MCTS exam it never really teaches you best practices as such (or at least I can't remember it doing so).
     
    Certifications: A+ | Network+ | Security+ | MCP | MCDST | MCTS: Hyper-V | MCTS: AD | MCTS: Exchange 2007 | MCTS: Windows 7 | MCSA: 2003 | ITIL Foundation v3 | CCA: Xenapp 5.0 | MCITP: Enterprise Desktop Administrator on Windows 7 | MCITP: Enterprise Desktop Support Technician on Windows 7
    WIP: Online SAN Overview, VCP in December 2011
  2. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,283
    254
    329
    was the manager saying leave individual permissions alone and just use NTFS?

    I just do it the way I learned in the MS press books and I follow everything else by what the company says. Sometimes they dont like you looking at technet whilst secretly looking at CF :D
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  3. michael78

    michael78 Terabyte Poster

    2,085
    29
    141
    Basically creating local groups and assigning permissions to the folder via the created local group and then creating a global group and adding the users to that and making the global group a member of the local group. Then giving full share permissions to everyone to the folder.

    I suppose it's where do you read up on best practice for various MS technologies.
     
    Certifications: A+ | Network+ | Security+ | MCP | MCDST | MCTS: Hyper-V | MCTS: AD | MCTS: Exchange 2007 | MCTS: Windows 7 | MCSA: 2003 | ITIL Foundation v3 | CCA: Xenapp 5.0 | MCITP: Enterprise Desktop Administrator on Windows 7 | MCITP: Enterprise Desktop Support Technician on Windows 7
    WIP: Online SAN Overview, VCP in December 2011
  4. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,199
    125
    199
    I have always found that the best practice is the one that works. Or in other words offers the least complex method to achieve the desired solution.

    Regardless of what anyone says if a solution is effective for what you need it for then you are implementing the most effective practice.
     
  5. Shinigami

    Shinigami Megabyte Poster

    896
    40
    84
    First of all, MCS is trying to get rid of the nomenclature "best practices", because it can sometimes give the false idea that no other method can possibly be better.
    Every company is different and unique in their own way. What works for one, may not work for another. Thus, we are trying to use the new wording of "recommended practices" in current documentation and when speaking with customers.

    Regarding "recommended practices" of group membership, yes, the typical manner in how you do things would be the AGLP method. But this doesn't mean you MUST create local groups on the servers. In fact, few do simply because it's a lot of work (unless you're talking about the default built-in groups such as Administrators, in which case use them when you can). If one followed the TechNet wording or recommended practices to the letter, you would end up placing users in a global group, the global group would be in another global group, which in turn might be in a Universal Group, and this UG could be in another UG, which is then placed into a Local Group on the server, which in turn is placed on the share. But my my what a long list of steps to worry about.

    But in practice you should follow the KISS principle! Keep it Super Simple.

    Ditch the local groups, just make groups in AD. Add users to the AD group, and the AD group on the share.
    And the reason for leaving the share permissions with full rights to the Everyone group is a recommended practice because it follows the KISS principle. The NTFS permissions take precedence in defining who has access (so giving Everyone Full Access on the Share should not be taken literally) and so you limit your rights management only to that one tab (the NTFS permissions tab). One less area (Share permissions) to worry about.

    And if you think that you're being clever by replacing Everyone with Authenticated Users thinking this is more restrictive than Everyone, then you're wrong and it is in fact NOT a recommended practice. Look it up if confused.
     
    Certifications: MCSE, MCITP, MCDST, MOS, CIW, Comptia
    WIP: Win7/Lync2010/MCM
  6. michael78

    michael78 Terabyte Poster

    2,085
    29
    141
    yeah he is implementing the AGLP method which until now I would never of done and no company I have worked for has implemented (some multinational companies as well). He is very clued up on best practice and this made me think have I been doing things wrong all this time but again I have heard of KISS as well. Personally I thought it was overkill the AGLP method. I didn't think there was a set standard in implementation as all companies are different hence the question.
     
    Certifications: A+ | Network+ | Security+ | MCP | MCDST | MCTS: Hyper-V | MCTS: AD | MCTS: Exchange 2007 | MCTS: Windows 7 | MCSA: 2003 | ITIL Foundation v3 | CCA: Xenapp 5.0 | MCITP: Enterprise Desktop Administrator on Windows 7 | MCITP: Enterprise Desktop Support Technician on Windows 7
    WIP: Online SAN Overview, VCP in December 2011
  7. michael78

    michael78 Terabyte Poster

    2,085
    29
    141
    snap mate.
     
    Certifications: A+ | Network+ | Security+ | MCP | MCDST | MCTS: Hyper-V | MCTS: AD | MCTS: Exchange 2007 | MCTS: Windows 7 | MCSA: 2003 | ITIL Foundation v3 | CCA: Xenapp 5.0 | MCITP: Enterprise Desktop Administrator on Windows 7 | MCITP: Enterprise Desktop Support Technician on Windows 7
    WIP: Online SAN Overview, VCP in December 2011
  8. Shinigami

    Shinigami Megabyte Poster

    896
    40
    84
    Overkill?

    Hmmm... tell me then, how have you and the other companies (and the multinationals) implemented this then? I hope they haven't tried placing individual users to NTFS permissions, or doing things the other way around as was the norm in NT4 (i.e. everyone access on the NTFS permissions, and individual users on the shares). Because those are both cumbersome, wrong as well as dangeorus practices.

    Just curious, it could simply be a misunderstanding on my part regarding what you're trying to convey and your previous companies in question may simply have done things in a way which IS supported, but not the "recommended practice" as portrayed by your new boss.
     
    Certifications: MCSE, MCITP, MCDST, MOS, CIW, Comptia
    WIP: Win7/Lync2010/MCM
  9. michael78

    michael78 Terabyte Poster

    2,085
    29
    141
    No I would never assign users permissions to folders directly always through a group and assign permissions to that group. What I meant by overkill is creating and assigning a local group permissions to a folder and then creating a global group and adding the users to that and then making the global group a member of the local group. I would however give the everyone group full share permissions as NTFS would restrict access.

    I suppose the issue I'm getting at is what one company does and you follow their setup can have an impact on you if you turn up to an interview and the manager starts asking about say this example of implement NTFS permissions and starts asking about best practice. This got me thinking where do people find out what is best practice. Whilst study gains you the knowledge of implementing technology it doesn't really go into saying it should be done this way or that. That's why I suppose I was asking does Microsoft and other companies set out best practice and if so how do you find out what is best practice.
     
    Certifications: A+ | Network+ | Security+ | MCP | MCDST | MCTS: Hyper-V | MCTS: AD | MCTS: Exchange 2007 | MCTS: Windows 7 | MCSA: 2003 | ITIL Foundation v3 | CCA: Xenapp 5.0 | MCITP: Enterprise Desktop Administrator on Windows 7 | MCITP: Enterprise Desktop Support Technician on Windows 7
    WIP: Online SAN Overview, VCP in December 2011
  10. Shinigami

    Shinigami Megabyte Poster

    896
    40
    84
    I hear you :)

    The local groups is not wrong, just more work, and more work is sometimes against recommended practices ;) Ask your boss to show the TechNet article that clearly states one should do them, I'd be interested in seeing which one he referred to.

    It can be ok to use this if some token overload is expected, but unlikely unless your company is really large.
     
    Certifications: MCSE, MCITP, MCDST, MOS, CIW, Comptia
    WIP: Win7/Lync2010/MCM
  11. michael78

    michael78 Terabyte Poster

    2,085
    29
    141
    The reason I bring it up is he was interviewing and said this person didn't know about best practice so I don't think they got through to the next stage. This made me think am I meant to be using best practice methods to the tee and where do I find out what is best practice for Exchange, AD and such. I suppose my question has been answered by yourself and other answers on this thread that you use KISS and every company is different. I suppose it's a relief that I haven't been doing AD administration wrong all these years.
     
    Certifications: A+ | Network+ | Security+ | MCP | MCDST | MCTS: Hyper-V | MCTS: AD | MCTS: Exchange 2007 | MCTS: Windows 7 | MCSA: 2003 | ITIL Foundation v3 | CCA: Xenapp 5.0 | MCITP: Enterprise Desktop Administrator on Windows 7 | MCITP: Enterprise Desktop Support Technician on Windows 7
    WIP: Online SAN Overview, VCP in December 2011
  12. kevicho

    kevicho Gigabyte Poster

    1,219
    58
    116
    Has the company defined a best practice method and docuemented it?

    Yeah the AGDLP is what i remember reading was a microsoft way of doing it in the books, but really you have to set your own standard, as long as it is uniform accross the company then it doesnt have be be done MS's way (unless you are running multiple domains then if so why reinvent the wheel).
     
    Certifications: A+, Net+, MCSA Server 2003, 2008, Windows XP & 7 , ITIL V3 Foundation
    WIP: CCNA Renewal
  13. Apexes

    Apexes Gigabyte Poster

    1,051
    78
    141
    Hmm.

    I've always created a group in AD, in the respective OU for a site, added the members, whack that group onto the folder. job done
     
    Certifications: 70-243 MCTS: ConfigMgr 2012 | MCSE: Private Cloud
  14. michael78

    michael78 Terabyte Poster

    2,085
    29
    141
    Snap with the exception of giving the everyone group full share permissions as well.
     
    Certifications: A+ | Network+ | Security+ | MCP | MCDST | MCTS: Hyper-V | MCTS: AD | MCTS: Exchange 2007 | MCTS: Windows 7 | MCSA: 2003 | ITIL Foundation v3 | CCA: Xenapp 5.0 | MCITP: Enterprise Desktop Administrator on Windows 7 | MCITP: Enterprise Desktop Support Technician on Windows 7
    WIP: Online SAN Overview, VCP in December 2011
  15. michael78

    michael78 Terabyte Poster

    2,085
    29
    141
    New manager mate so he hasn't defined anything as of yet. He is a nice guy and really does know his stuff but I suppose if he has come from a business that has implemented best practices set out by MS then he is going to implement it here. I just want to know if people follow Best Practice as a ehh best practice :biggrin
     
    Certifications: A+ | Network+ | Security+ | MCP | MCDST | MCTS: Hyper-V | MCTS: AD | MCTS: Exchange 2007 | MCTS: Windows 7 | MCSA: 2003 | ITIL Foundation v3 | CCA: Xenapp 5.0 | MCITP: Enterprise Desktop Administrator on Windows 7 | MCITP: Enterprise Desktop Support Technician on Windows 7
    WIP: Online SAN Overview, VCP in December 2011
  16. Shinigami

    Shinigami Megabyte Poster

    896
    40
    84
    Just follow the recommended practices whenever you can. If it doesn't work for your particular company, then it's an exception and you'll just have to work around it and define your "own" preferred practice :)
     
    Certifications: MCSE, MCITP, MCDST, MOS, CIW, Comptia
    WIP: Win7/Lync2010/MCM
  17. michael78

    michael78 Terabyte Poster

    2,085
    29
    141
    Cheers for the replies all :biggrin
     
    Certifications: A+ | Network+ | Security+ | MCP | MCDST | MCTS: Hyper-V | MCTS: AD | MCTS: Exchange 2007 | MCTS: Windows 7 | MCSA: 2003 | ITIL Foundation v3 | CCA: Xenapp 5.0 | MCITP: Enterprise Desktop Administrator on Windows 7 | MCITP: Enterprise Desktop Support Technician on Windows 7
    WIP: Online SAN Overview, VCP in December 2011

Share This Page

Loading...