The best practice in group management has been inherited from experience with Windows NT: First create gatekeeper groups, which are Local groups that control the access to resources and expose what needs to be exposed for broad and even tightly controlled purposes. Then nest Global and Universal (if in native mode) groups in the Local groups, providing a second level of access control and permissions.
The practice of creating gatekeeper groups also encourages a delegation of responsibility and a form of decentralized management that is still safe and not out of touch. Assign people who need to admit Global or Universal groups only as requested the responsibility of managing Local groups. Then assign the membership of the Global groups to the department or organizational unit administrators.
Was this article helpful?