question

SeanHogge-3201 avatar image
0 Votes"
SeanHogge-3201 asked DSPatrick answered

Active Directory Best Practices

My question is perhaps more philosophical than technical, but I'm hoping for informed opinions and understand there is no definitive or "best" answer.

A coworker and I disagree on AD (security) groups. I believe they should be a reflection of the organization: i.e. the "Sales" group should contain only people in the Sales department, and not contain folks from Finance that need to see some Sales data.

He says the opposite: Finance folks should be in the Sales group so they can get some reports or emails.

My motivation is that I develop software for our company, including our intranet. I routinely create dashboards and reports for people and departments. What I want is to say "give me all the members of the Service group" and get a list of all our service technicians, service managers, and such. He says that instead I should be looking at AD job titles, asking for all users that have an array of titles to reflect who works in the Service department (since we currently have Finance and Execs in the AD "Service" group).

I'm trying hard to see the validity of his point, but no matter what I consider, using groups in such the way he proposes is an anti-pattern. But that's not conducive to constructive conversation. I'm hoping some outside opinions my help me understand his position better.

How do you, as an IT professional think AD groups should be laid out and maintained (besides the well-accepted guidelines for OUs, nesting, and such)?

Thanks in advance for helping me avoid my own narrow-mindedness.

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

yannara avatar image
1 Vote"
yannara answered SeanHogge-3201 commented

In AD, there are Security Groups, Distribution Groups and also Organization Units (OUs). Security is strict for security, OUs helps you organize and delegate stuff. If you add Finance person into a Security Groups of Sales, and you have some GPO or App applied to Security group for Sales, Finance person will get it, and that would be a security issue. So I stick more with you than with your friend :D

For reporting and vieweing reports and atributes, I would use totally different security group like report admins or report readers. What you see in the report, should not be limited by a Security group of Staff (like sales in this example). Not sure did I get your point, but here you go :)

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the input. I agree precisely with granting permissions via extra groups like "Sales Report Readers" or "Customer Credit Suspensions" and adding folks there from different departments.

I think you did get my point, and I appreciate you taking the time to weigh in!

1 Vote 1 ·
DSPatrick avatar image
1 Vote"
DSPatrick answered SeanHogge-3201 commented

You can review microsoft's documentation here.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory


--please don't forget to upvote and Accept as answer if the reply is helpful--




· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the link: I have reviewed that. It deals more with security and protecting against compromise than practical ramifications of group membership reflecting organizational hierarchy (as far as I can tell).

I believe my stance is easier to secure, but that's probably because it's simpler to imagine or hold in one's head. I don't think either of us are advocating a practice that is inherently less secure.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @SeanHogge-3201,

Thank you for posting here.

It is very grateful for yannara's suggestions and sharing. I am so glad that the information provided by yannara is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.