As a best practice, assign resource access to security groups—instead of to individual users—to simplify administration and troubleshooting. Resources can include the following:
- Folders and shared folders
- Registry settings
- Active Directory Domain Services
For efficiency, create global groups for users based on criteria such as job function or department. Create domain local groups, and then place global groups into domain local groups. Assign permissions to the domain local groups as required for your environment. This practice simplifies troubleshooting. It also simplifies management of changes when they occur, for example, when users change job functions.
Using security groups
The following table provides a reference for more information about using security groups.
Review best practice information about assigning permissions on Active Directory objects.
Best Practices for Assigning Permissions on Active Directory Objects (http://go.microsoft.com/fwlink/?LinkId=93217)