Microsoft's official enterprise support blog for AD DS and more
Hi all, Ned here. Our friend Nir has another new DAC-related post up, this time on the File Cab blog:
Getting started with Central Access Policies - Reducing security group complexity and achieving data access compliance using Dynamic Access Control
If you need a reason to go read this, consider the following quote:
"So, we have 2,000 groups, 2,000 ACLs and many groups that are affected by a person changing a role not to mention the complexity of adding another level (say Branch) or the implications if we want to change the folder structure.
With Dynamic Access Control, you can cut the number of groups down from 2,000 to 71 (50 for country, 20 for department and 1 for sensitive data access). This is made possible by the ability to use expressions in Windows ACL. For example: You would use MemberOf (Spain_Security_Group) AND MemberOf (Finance_Security_Group) AND MemberOf(Sensitive_Security_Group) to limit access to Spain’s finance department sensitive information."
Get on over there and give it a read.
I swear we are going to post some original content here at some point. Just crushed under the load.
- Ned "sock puppet" Pyle