In many IT infrastructures, access is controlled by collecting individual user accounts into security groups and then specifying access control on organizational IT resources for these security groups instead of for individual user accounts.
For instance, in IT environments that are powered by Microsoft Windows Server operating system, Active Directory security groups are used to collect domain user accounts into a single collective, and then access in granted or denied to various IT resources such as Sharepoint portals or File servers using these security groups.
In many cases, it can be helpful to take a security group and make it a part of another security group so as to be able to collectively grant access to a large collective of users. The process of making one security group a member of another security group is referred to as group nesting and these groups are then referred to as nested security groups, since they are, well, nested.
While nesting security groups can be beneficial, it can often also be problematic because it can make it hard to identity nested groups and it can make it harder to determine who ultimately has what access because of these nested security groups memberships, especially when groups are nested beyond two levels. In certain cases, a variety of tools can be used to identify nested groups. In particular, IT admins can use Active Directory reporting tools to identify nested groups and also use native Microsoft security group management tools to then manage these groups.
Overall, security group nesting for the purpose of access control can be helpful if used carefully, and can be problematic if used haphazardly.
Active Directory True Last Logon based on LastLogon
-
If you are an IT administrator and need to determine the last time a user
used their Active Directory domain user account to logon, also commonly
referr...
14 years ago
No comments:
Post a Comment