To start off with, I work for a company that a long time ago when they implemented file shares for each division, they also broke the cardinal rule of NTFS permissions and used explicit permissions for users on certain folders. To give an example of our set up, every user has a W: drive. The W: drive hierarchy is similar to the following:
W:\HR
W:\Legal
W:\Finance
W:\Communications
I'm pretty sure at one point, these folders were fairly organized. But then came the complex situation where someone in Legal needed access to HR documents, someone in Finance needed access to Legal documents, then there's the odd cases where 2 different people from different subdivisions of legal need access to a specific folder in the legal folder, but they don't want anyone else to have access to this folder. To which the IT department at that time felt the best solution would be to just give explicit permissions to those people.
Since I've started at this job 7 years ago, I've been hinting at creating security groups for these instances (even if it's only for one user account) because when users leave, we remove them from all groups, and put them in a Former Employees OU for 5 years, but their explicit permissions remain on the folders in the file share.
When I make hints of creating security groups for these instances, the counter argument is, "How will we manage all the empty groups when people leave? How would we organize and name these groups in AD?"
For the first argument, I propose a simple powershell script to delete empty groups or just to leave them in place for any future employees requesting the same access to specific folders.
The second argument though is where I am having trouble coming up with a good solution. So after that brief novel, I'd simply like to ask for any tips or examples on organizing security groups in AD for NTFS permissions when faced with the situations I listed above.
One thought I had was to create an OU just for special NTFS permissions groups, name the groups after the folders they give access to , and put the full filepath in the description.
If anyone has any better ideas or if anyone does this differently, I'm open to suggestions.
Best Answer
Your thoughts are essentially what I do, and I've had a lot of success in managing things that way in complicated environments.
The solution to both of the question is that you create resource groups that are tied to the folders/shares. You don't delete the empty groups at all, the groups exist for as long as the folder or share exists, not for as long as there are users in them. If you deleted the folder, then you would delete the associated resource group, regardless of whether it's empty or not.
The question about how to organize security principles in AD is a bit of a mystery to me - that's what AD is for! You can organize it any way you want!
Here's how I do it:
Notes: