This post has been republished via RSS; it originally appeared at: Ask the Directory Services Team articles.
First published on TechNet on May 29, 2012Hi all, Ned here. Our friend Nir has another new DAC-related post up , this time on the File Cab blog:
If you need a reason to go read this, consider the following quote:
"So, we have 2,000 groups, 2,000 ACLs and many groups that are affected by a person changing a role not to mention the complexity of adding another level (say Branch) or the implications if we want to change the folder structure.
With Dynamic Access Control, you can cut the number of groups down from 2,000 to 71 (50 for country, 20 for department and 1 for sensitive data access). This is made possible by the ability to use expressions in Windows ACL. For example: You would use MemberOf (Spain_Security_Group) AND MemberOf (Finance_Security_Group) AND MemberOf(Sensitive_Security_Group) to limit access to Spain’s finance department sensitive information."
Get on over there and give it a read.
I swear we are going to post some original content here at some point. Just crushed under the load.
- Ned "sock puppet" Pyle