active-directoryattributesflagsgroups
I'd like to flag certain Active Directory accounts to indicate that they represent individual, physical people as opposed to groups, service accounts, built-in accounts, etc. This could be via a custom or built-in attribute, group, etc.
Ideally, the solution would:
On any computer, that has DNS configured to use AD's DNS server do:
Start -> Run -> nslookup
set type=all
_ldap._tcp.dc._msdcs.DOMAIN_NAME
Replace DOMAIN_NAME with the actual domain name e.g. example.com. Read more here.
This is easy. As an example: make a sub folder called "Soccer" and make a matching group. Then delegate the ability for someone in athletics to add or remove users to the Soccer security group. As long as the Soccer group has sufficient access on the NTFS ACL for the Soccer folder, they won't need to touch file permissions at all.
People in the Soccer group will be able to see the Soccer sub folder.
Best Answer
Groups are a different kind of object from users, so differentiating them is already possible, even easy. Built-in accounts are usually left in the Users container, while user accounts and service accounts are typically sorted into separate OUs either under the Users container or outside of the Users container. Either way, sorting by OU would be a visual indication in the GUI and also easily searchable and sortable by other applications, powershell commands, searches, etc.
So just sort your users into different OUs by type of user. You might also want to create an OU tree to sort human users more granularly, for example you could sort them by department into separate department OUs. Or you could sort them by office location or whatever makes business sense. That way you have multiple ways to differentiate between users with different needs.
I also like to sort all groups into OUs. Either I make a groups OU and sort all the groups inside that and even create an OU tree structure to differentiate user groups from resource groups from distribution groups, or I include the groups next to the users in the appropriate user OUs.
If you're not intelligently sorting your AD objects into OUs, you're missing out on a major feature of Active Directory.
In addition to using OUs, you could (really should) leverage group membership. Typically there are reasons to create one or more user and distribution groups that include all the human staff of an organization, but not include any built-in or service accounts. You may also want to create a distribution and/or user group for all service accounts (you might be able to assign appropriate rights for service accounts to groups). A distribution group is completely meant to sort users for almost no other purpose (especially if you don't Exchange), so it's an ideal mechanism for grouping accounts for various purposes.
If you do have Exchange, then you've got all kinds of schema extensions added to Active Directory that you can use to differentiate between user mailboxes and shared mailboxes, etc.
Finally, regarding service accounts, you might put some thought into the scope required by your various service accounts. If you have a service that needs a custom account but doesn't need to access any network resources, you could simply create a local account for that service and grant it the necessary rights on the local machine. That's one less service account cluttering up your AD.