Use ARS and/or powershell to create groups - nested & add members automatically?

We use the lousy nested structure for shared folder ntfs permissions where a domain local group contains a universal which contains a global and the global has the users.  I want to find a way to create the 3 groups required when a new folder is setup, then add users to the global group.

Also, does anyone have any good references on the latest best practices for share permissions? I know when/why dl groups are used, but why use the nesting scheme for every file share on 20+ file servers?

  • Hi,

    here is a PoSh script sample to create group structure:

    $users = "John Smith", "Sarah Connor"

    $group = "My Group"

    $ou = "My OU"

    Connect-QADService -proxy

    $groupG = New-QADGroup ($group+" G") -ParentContainer $ou -GroupType Security -GroupScope Global

    $groupU = New-QADGroup ($group+"U") -ParentContainer $ou -GroupType Security -GroupScope Universal

    $groupDL = New-QADGroup ($group+" DL") -ParentContainer $ou -GroupType Security -GroupScope DomainLocal

    Add-QADGroupMember $groupG $users

    Add-QADGroupMember $groupU $groupG

    Add-QADGroupMember $groupDL $groupU

  • I've never heard anyone recommend a 3 level group nesting strategy you suggest here. Use the appropriate groups for the job and NEVER create 2 groups by default that's not the idea at all and is why almost every AD I've ever seen is a complete mess and will often have more groups than the company has employees.

    You should only be creating either a local group or a universal group and nesting an EXISTING global group with the users already in it. If you are doing that then you are doing it right. If you are always creating groups using a 1 to 1 relationship then your design is wrong unless this is the only resource you are delegating access to, or it's the first resource and perhaps you do not already have global groups.

    I blogged about this here: clan8blog.wordpress.com/.../