Group Strategy¶
Model¶
Use AGDLP.
Examples¶
| Group | Type | Purpose |
|---|---|---|
GG-HQ-IT |
Global | IT users in HQ |
GG-HQ-HR |
Global | HR users in HQ |
GG-HQ-Finance |
Global | Finance users in HQ |
DL-FS01-HR-RW |
Domain Local | HR share read/write |
DL-FS01-Finance-RW |
Domain Local | Finance share read/write |
Permission flow¶
flowchart LR
User[User Account] --> GG[Global Group]
GG --> DL[Domain Local Group]
DL --> ACL[NTFS / Share Permission]
Rules¶
- Never assign file permissions directly to users.
- Use Global Groups for people and roles.
- Use Domain Local Groups for resource permissions.
- Document all groups in the inventory or access matrix.