Active Directory Best Practices

Sean Hogge 26 Reputation points
2021-07-27T17:01:37.08+00:00

My question is perhaps more philosophical than technical, but I'm hoping for informed opinions and understand there is no definitive or "best" answer.

A coworker and I disagree on AD (security) groups. I believe they should be a reflection of the organization: i.e. the "Sales" group should contain only people in the Sales department, and not contain folks from Finance that need to see some Sales data.

He says the opposite: Finance folks should be in the Sales group so they can get some reports or emails.

My motivation is that I develop software for our company, including our intranet. I routinely create dashboards and reports for people and departments. What I want is to say "give me all the members of the Service group" and get a list of all our service technicians, service managers, and such. He says that instead I should be looking at AD job titles, asking for all users that have an array of titles to reflect who works in the Service department (since we currently have Finance and Execs in the AD "Service" group).

I'm trying hard to see the validity of his point, but no matter what I consider, using groups in such the way he proposes is an anti-pattern. But that's not conducive to constructive conversation. I'm hoping some outside opinions my help me understand his position better.

How do you, as an IT professional think AD groups should be laid out and maintained (besides the well-accepted guidelines for OUs, nesting, and such)?

Thanks in advance for helping me avoid my own narrow-mindedness.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
0 comments No comments
{count} votes

Accepted answer
  1. Pavel yannara Mirochnitchenko 13,336 Reputation points MVP
    2021-07-27T18:02:36.923+00:00

    In AD, there are Security Groups, Distribution Groups and also Organization Units (OUs). Security is strict for security, OUs helps you organize and delegate stuff. If you add Finance person into a Security Groups of Sales, and you have some GPO or App applied to Security group for Sales, Finance person will get it, and that would be a security issue. So I stick more with you than with your friend :D

    For reporting and vieweing reports and atributes, I would use totally different security group like report admins or report readers. What you see in the report, should not be limited by a Security group of Staff (like sales in this example). Not sure did I get your point, but here you go :)

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
  1. Anonymous
    2021-07-27T17:28:17.953+00:00

    You can review microsoft's documentation here.
    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    1 person found this answer helpful.

  2. Anonymous
    2021-07-28T01:37:48.56+00:00

    Hello @Sean Hogge ,

    Thank you for posting here.

    It is very grateful for yannara's suggestions and sharing. I am so glad that the information provided by yannara is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  3. Anonymous
    2021-07-28T12:45:05.837+00:00

    Just checking if there's any progress or updates?

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.