That is, or certainly can be, a tough nut to crack.
What I try to use is:
1. never grant to users, not anything, not ever
2. allow users into a subset of the groups only
(I think of these as principal groups)
3. use grants for rights, resources, etc. with
groups defined for those purposes
(I think of these as resource groups)
4. use principal groups no where except to
populate resource groups
5. have and uphold a group naming convention so that
it is clear what group is a principal group, and what
the uses of the resource groups are (and use them
only that way)
Then, there is a limited subset of groups that need to
be periodically examined for accounts, and as a side
effect looking at the resource groups tells one immediately
what categories of users have that access.
For the examination I use script.
If one does not start out right one can quickly get a mess
on one's hands.
--
Roger Abell
Microsoft MVP (Windows Server : Security)
"Mike Matheny" <mikemathenyathoustondotrrdotcom> wrote in message
> We have around 10 trusted domains that we sometimes add users from into
> our domain local groups. When a user from a trusted domain leaves, we need
> a way to find out what groups in OUR domain he is a member of and remove
> him I have not been able to find any way to do this (short of going
> through all 1000 of our groups manually!!), so that is why I am asking the
> experts!
>
> --
>
> Mike Matheny
>
>
>
FAQ
Search
Profile
Private Messages
Log in
