Case Study: Assigning Group Membership

SCENARIO

Palmetto Systems develops security software to protect client networks from unauthorized intrusions. Palmetto's system administrators are developing a Windows 2000 Active Directory group structure from scratch and want to ensure that the design provides the flexibility needed to grant appropriate resource permissions.

Palmetto is organized into four main departments: Software Engineering, Accounting, Sales, and the Executive Committee. Most of the employees in these departments need to share files only with other users in their department.

The Vice President for Software Development heads up the Software Engineering Department. He has three project teams that report to him—the Firewall team, the Intrusion Detection System team, and the Customer Support team. The Firewall team and Intrusion Detection team sometimes share data with each other but not with the Customer Support team.

The Accounting Department consists of five personnel—the Comptroller, two Accounts Receivable clerks, and two Accounts Payable clerks. The A/R clerks and A/P clerks each access different subsets of information, whereas the Comptroller requires access to all information in the department.

The Sales Department consists of 10 employees headed up by the Vice President for Sales. They are divided into two teams—Inside Sales and Outside Sales—and often share information with each other.

Finally, Palmetto's Executive Committee consists of the CEO and the three department heads. The members of this committee often share highly confidential data that they do not want disclosed to any other employees.

ANALYSIS

After examining the company's data sharing requirements, Palmetto's system administrators decide to organize their Active Directory groups along organizational lines. They first create a Palmetto Systems group at the top of the hierarchy. This group contains four subgroups—Executive Committee, Software Engineering, Accounting, and Sales.

The Executive Committee group contains no subgroups and four members—the CEO, Vice President for Software Development, Comptroller, and Vice President for Sales.

The Software Engineering group contains two subgroups—Development and Support. The Development group has no user members but two subgroups of its own—Firewall and IDS. These subgroups contain the members of their respective teams. The Support group contains the members of the Support team. The VP for Software Development is a member of the Firewall, IDS, and Support groups. This structure allows easy sharing of data between the Firewall and IDS groups that does not involve the Support team.

The Accounting group contains two subgroups—AR and AP, both of which contain the appropriate clerks. The Comptroller is a member of both subgroups. The Sales group also contains two subgroups corresponding to the Inside Sales and Outside Sales teams.

This structure facilitates data sharing along organizational lines. Furthermore, the use of groups rather than individual user accounts makes it quite simple to add, delete, and transfer users as personnel changes take place.