Security Group Efficiencies and How To Exploit Them

Security groups are used to simplify data and resource access in a complex environment like Windows Server with Active Directory.

kathleen_kettner_ACL_security_groupsData access rights are specified at the individual file level, then back “up” through the folder system using a mix of inherited rights and declared rights.  Keep it simple, these really ARE just digitized piles of paper and folders.

If you have 10,000 files in 1,500 folders then changes in individually-based permissions force access to each affected folder/file.  This is a real-time index update of each files’ properties.  More likely you have hundreds of thousands of files in tens of thousands of folders.

Access is further subdivided by type:  can you read it, change it, delete it?  You should establish access permissions with client privacy and competitive advantage in mind.

Groups of users can be granted file and folder permissions.  Any updating to group membership is done once at the group membership index level (Jan is in, Jim is out), and does not have to re-assert these new access permissions over and over at the file level.

Adding UserX to “Admin” group makes one change at net admin level; granting UserX individual access forces thousands of changes at file level.

Groups of Groups works too. The “Company” group might contain the “Staff”, “Admin”, “Principal” and “Board” groups but not the “Contractor” group.  An “All User” group could then contain the “Company” and “Contractor” groups.

Groups allow rapid change to data and resource access status as individuals move in and out of groups.

Complication:  “Most restrictive wins” is the idea that any limitation of access rights cancels any expansion of rights.  If UserX is granted access to a file by group rights, but is individually denied rights at the file level then UserX cannot access the file.

Complication:  Inherited permissions are supposed to leverage folder structure so that, for instance, all subfolders under Budget could mimic permissions of the Budget folder.  You can, however, stop and start this inheritance so a mish-mash of rights may result.

Best Practice:  Keep an updated inventory of users and group membership including the purpose of any group.  Perform and log random access attempts to spot gaps and lapses.

UNSOLICITED BUSINESS RECOMMENDATION:  Microsoft has never given any meaningful data-file organizational tools to its Windows Server admins… their approach is mechanical and clumsy.  A third-party vendor Varonis re-processes this folder-centric system into a database that allows you to query dynamically, and visualize the actual permissions associated with a file and/or folder.  They then provide tools to analyze and manage the data file collection.


Data Definition: Pick a number between 1 and 1000

 Computer Sorting – CRM Data Definition Example

Computers are very good at finding significant data in a large pool of information based on established alpha-numeric-symbol patterns. CRM field design establishes the purpose and content of EVERY field based on how it can be used to qualify/disqualify information from analysis. Careful field design yields quick and reliable data classification by exploiting basic computing decision points. Yes-No. Greater than-Less than. Contains-Excludes. On-off.

Kathleen_Kettner_IT_Manager_Data_Sort               Precise information is KEY.

Optional exercise

As an example, let’s play a game: You pick a number between 1 and 1000. I bet I can identify that number in ten guesses or less. For this example, let’s use the number 272.

Rules: You must answer the Guesses yes/no, and you must admit if your number is one of the guess-boundaries.

Guess1: Is the number above 500? Answer1 = No.
Eliminate upper 500 numbers. Now guess between 1 and 499.

Guess2: Is the number above 250? Answer2 = Yes.
Eliminate lower 250 numbers, now guess between 251 and 499.

Guess3: Is the number above 375? Answer3 = No.
Eliminate upper 125 numbers, now guess between 251 and 374.

Guess4: Is the number above 312? Answer4 = No.
Eliminate upper 62 numbers, now guess between 251 and 311.

Guess5: Is the number above 280? Answer5=No.
Eliminate upper 31 numbers, now guess between 251 and 279.

Guess6: Is the number above 265? Answer6=Yes.
Eliminate lower 15 numbers, now guess between 266 and 279.

Guess7: Is the number above 272? The number is 272.

This is a math game for kids learning to add, subtract and divide numbers (find median in range) but it also shows the logic of a search that quickly eliminates unqualified data.

[This is also a nerd drinking game with emphasis on computational speed.]

We could use a similar data-elimination approach to sort CRM Referral Information. Think of it as three tiers of data, each tier limiting the options of the next tier: Referral Type, Referral Source, Referral Contact.




Arnold, Barr & Conner
Bubble Bank
Center City Accounting
Jane Cook, Esq.

REFERRAL TIER3: Within SOURCE Bubble Bank, pick a CONTACT

Barry Bonds
Colletta Cash
Edward Ignatius
Mac Daniels

REFERRAL = COI – Bubble Bank – Colletta Cash

Once you select the TYPE, using this example, you have substantially narrowed the search to only COI entities; once you pinpoint the COI SOURCE, you’ve eliminated hundreds and hundreds of contacts who aren’t associated with that COI SOURCE. We could have a thousand contacts and you’ve drilled down to a handful in two questions.

This also allows us to “scoop” information as needed. We get the big picture of overall referral flow with TYPE (all COI), we clarify the focus with SOURCE (specific COI) then we pinpoint the CONTACT detail identifying the person who made the referral.