The five golden rules of common sense permissions designs
With many of you still planning to migrate to Windows 2000 and Active Directory, here are some rules to help you when you are assigning permissions in AD. This is not a complete list of rules, but some suggestions that will get you thinking in the right direction.
- Assign object permissions to groups of users rather than individual users whenever possible.
Even if a group only includes one user, this will remove organizational dependence on one particular account and make alterations much simpler if a person leaves the organization.
- Design group permissions so that you have a minimum of duplication.
If a set of users need permissions A, B, and C, do not create groups with permutations of the three permissions but rather 3 separate groups. If all of your users need these permissions then only one group is needed (A_B_C). Your ultimate goal is keep the number of groups to a minimum.
- Manage permissions globally from the ACL window.
Right-clicking on objects will bring up their Security Permissions window. You should manage permissions from this window as often as you can. Only use the Advanced button when you want to allow or deny permission to one aspect of an object rather than the whole object.
- Allow inheritance: do not orphan sections of the tree.
Inheritance is the default, if you specify that children do not inherit specific permissions from their parents you will make Active Directory harder to manage.
- Keep a log of every unusual change that you have made to the tree, especially when you have orphaned sections of it or applied special rights to certain users.
This may sound obvious but you would be surprised how many administrators neglect to keep a log. You may not always be around to explain changes to your directory.
Information provided in this tip comes from the book Windows 2000 Active Directory by Alistair G. Lowe-Norris, O'Reilly and Associates, 2000.