Following Best Practices Help

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Guys for following best practice especially on MS products what does everyone follow or how do you find out best practice? Do you use whitepapers on technet? Reason I ask is I always thought I knew say AD pretty well and all the companies I've worked for have pretty much set AD up the way I've always been used to using it. Now I'm working for a new manager who is heavily into best practice and I was told the way I've always setup groups for NTFS permissions isn't best practice. This got me thinking that whilst I've done my AD MCTS exam it never really teaches you best practices as such (or at least I can't remember it doing so).

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

was the manager saying leave individual permissions alone and just use NTFS?

I just do it the way I learned in the MS press books and I follow everything else by what the company says. Sometimes they dont like you looking at technet whilst secretly looking at CF

 

Basically creating local groups and assigning permissions to the folder via the created local group and then creating a global group and adding the users to that and making the global group a member of the local group. Then giving full share permissions to everyone to the folder.

I suppose it's where do you read up on best practice for various MS technologies.

 

I have always found that the best practice is the one that works. Or in other words offers the least complex method to achieve the desired solution.

Regardless of what anyone says if a solution is effective for what you need it for then you are implementing the most effective practice.

 

First of all, MCS is trying to get rid of the nomenclature "best practices", because it can sometimes give the false idea that no other method can possibly be better.
Every company is different and unique in their own way. What works for one, may not work for another. Thus, we are trying to use the new wording of "recommended practices" in current documentation and when speaking with customers.

Regarding "recommended practices" of group membership, yes, the typical manner in how you do things would be the AGLP method. But this doesn't mean you MUST create local groups on the servers. In fact, few do simply because it's a lot of work (unless you're talking about the default built-in groups such as Administrators, in which case use them when you can). If one followed the TechNet wording or recommended practices to the letter, you would end up placing users in a global group, the global group would be in another global group, which in turn might be in a Universal Group, and this UG could be in another UG, which is then placed into a Local Group on the server, which in turn is placed on the share. But my my what a long list of steps to worry about.

But in practice you should follow the KISS principle! Keep it Super Simple.

Ditch the local groups, just make groups in AD. Add users to the AD group, and the AD group on the share.
And the reason for leaving the share permissions with full rights to the Everyone group is a recommended practice because it follows the KISS principle. The NTFS permissions take precedence in defining who has access (so giving Everyone Full Access on the Share should not be taken literally) and so you limit your rights management only to that one tab (the NTFS permissions tab). One less area (Share permissions) to worry about.

And if you think that you're being clever by replacing Everyone with Authenticated Users thinking this is more restrictive than Everyone, then you're wrong and it is in fact NOT a recommended practice. Look it up if confused.

 

yeah he is implementing the AGLP method which until now I would never of done and no company I have worked for has implemented (some multinational companies as well). He is very clued up on best practice and this made me think have I been doing things wrong all this time but again I have heard of KISS as well. Personally I thought it was overkill the AGLP method. I didn't think there was a set standard in implementation as all companies are different hence the question.

 

snap mate.

 

Overkill?

Hmmm... tell me then, how have you and the other companies (and the multinationals) implemented this then? I hope they haven't tried placing individual users to NTFS permissions, or doing things the other way around as was the norm in NT4 (i.e. everyone access on the NTFS permissions, and individual users on the shares). Because those are both cumbersome, wrong as well as dangeorus practices.

Just curious, it could simply be a misunderstanding on my part regarding what you're trying to convey and your previous companies in question may simply have done things in a way which IS supported, but not the "recommended practice" as portrayed by your new boss.

 

No I would never assign users permissions to folders directly always through a group and assign permissions to that group. What I meant by overkill is creating and assigning a local group permissions to a folder and then creating a global group and adding the users to that and then making the global group a member of the local group. I would however give the everyone group full share permissions as NTFS would restrict access.

I suppose the issue I'm getting at is what one company does and you follow their setup can have an impact on you if you turn up to an interview and the manager starts asking about say this example of implement NTFS permissions and starts asking about best practice. This got me thinking where do people find out what is best practice. Whilst study gains you the knowledge of implementing technology it doesn't really go into saying it should be done this way or that. That's why I suppose I was asking does Microsoft and other companies set out best practice and if so how do you find out what is best practice.

 

I hear you

The local groups is not wrong, just more work, and more work is sometimes against recommended practices ;) Ask your boss to show the TechNet article that clearly states one should do them, I'd be interested in seeing which one he referred to.

It can be ok to use this if some token overload is expected, but unlikely unless your company is really large.

 

The reason I bring it up is he was interviewing and said this person didn't know about best practice so I don't think they got through to the next stage. This made me think am I meant to be using best practice methods to the tee and where do I find out what is best practice for Exchange, AD and such. I suppose my question has been answered by yourself and other answers on this thread that you use KISS and every company is different. I suppose it's a relief that I haven't been doing AD administration wrong all these years.

 

Has the company defined a best practice method and docuemented it?

Yeah the AGDLP is what i remember reading was a microsoft way of doing it in the books, but really you have to set your own standard, as long as it is uniform accross the company then it doesnt have be be done MS's way (unless you are running multiple domains then if so why reinvent the wheel).

 

Hmm.

I've always created a group in AD, in the respective OU for a site, added the members, whack that group onto the folder. job done

 

Snap with the exception of giving the everyone group full share permissions as well.

 

New manager mate so he hasn't defined anything as of yet. He is a nice guy and really does know his stuff but I suppose if he has come from a business that has implemented best practices set out by MS then he is going to implement it here. I just want to know if people follow Best Practice as a ehh best practice

 

Just follow the recommended practices whenever you can. If it doesn't work for your particular company, then it's an exception and you'll just have to work around it and define your "own" preferred practice

 

Cheers for the replies all