Group Management and Group Policy
Sep 11, 2008
Group policy is a very valuable tool, as it allows the administrator to control which tasks users are able to perform using company resources. While Group Policy Objects in Active Directory are generally applied at the level of the domain or organizational unit, it is possible to further filter by security groups, allowing a greater level of granularity in defining access rules.
To accomplish this, create a GPO object and link it to the OU where the users reside. Create the group which will act as the filter for the GPO object. Then, in the Group Policy Management console, select the GPO and add the new group in the Security Filtering pane. Remember that it is not possible to filter on a distribution list; it must be a security group.
The group policy will now apply to members of that group. The key, therefore, is to guarantee the accuracy of the security group. The best way to handle this is with a dynamic group management tool, such as Imanami SmartDL. With dynamic group management, you can be sure that all users whose account attributes match the criteria specified in the dynamic group query will be included. Choose the attribute or set of attributes which will determine membership, configure SmartDL, and the rest will take care of itself.
A couple of examples: Imagine that you want to allow access to an HR web page to only managers with employees. Simply create a dynamic security group that queries AD to include only users that have the attribute ‘directReports’ populated. If you want to enable only marketing VPs to see the new marketing plan, create the group with ‘department equals Marketing’ and ‘title contains Vice-President.’ By making these groups dynamic, you can ensure that only the users that meet the criteria right now will have access to those files and systems.
Using this process, you can ensure that all your users will have exactly the access level they need--and no more.
|
Previous Post
August 2008 |
