I need to create security groups in AD. I can identify the groups that I need, let's say they are: Management,Finance,Sales & Engineering. And I can identify the resources that each group requires access to (though this could be a tedious task). And I can identify levels of access required.
Most companies add security groups as needed. But this is a situation where the company is already mature but has never used security groups before. Are there best practices for implementing security groups? Are there any tips? Or pitfalls to avoid? And does anyone know of any tool that could speed up the group->resource mapping process?
The way I have implemented it, based on Microsoft's recommendations for Windows Server 2003 (found in the MCSE Self-Paced Training Kit for exam 70-294: Planning, Implementing and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure) is:
So you have: User Account -> Job Role security group -> Resource Permission security group -> Resource Permissions
Doing it this way, you can end up with a lot of groups, particularly domain local groups, if you have a lot of resources, but it keeps it relatively simple and maintainable. Trying to get clever and having multiple levels of nested groups is a recipe for complexity and disaster, trust me!
It would also be a good idea to ensure that no-one other than Administrators has Full Control of any files. This prevent s users trying to be too clever and configuring their own permissions.
Without knowing your environment it's hard to give you specific advice, but to paint with the broadest possible brush I'd suggest that you follow the Policy of Least Privilege in all your permission-delegating.
hmallett's advice combined with the mentality behind the Policy of Least Privilege will give you a very flexible, yet fairly secure environment.