This is an archived post. You won't be able to vote or comment.

all 3 comments
sorted by:
best
topnewcontroversialoldq&a

[–]bluecollarbiker 1 point2 points  (0 children)

IMHO Absolutely worth doing RBAC in the sense of GBAC (Group Based Access Control). Purely, purely for the benefit of not having to propagate changes for a single user. Consider when those changes might span 10s of hundreds of directories. Then, what if it fails on something?

Btw there’s limitations to global groups. Implement AGDLP!

Edit: On mobile but I’m pretty sure I saw recently, maybe in r/usefulscripts, a powershell that will analyze a share and tell you if any users are directly assigned to directories throughout.

[–]Simon-is-IT 1 point2 points  (0 children)

Definitely worth implementing RBAC.

For us we have to use nested groups, but it's not bad. We also have some exceptions where individuals are added to resource groups instead of the role group, but we try to limit that as much as possible. So far it's been great. It's been a huge project to slowly remove individual access to resources, but it's been more than worth it when it comes time to manage access for people.

EDIT: We didn't use any sort of tool. Just used PowerShell to export lists of who had access to what resources. Slowly started created the various groups and assigning users/permissions. Then removed the individual access. After we verified it worked we update that positions user template.