Identifying Individuals to Maintain Security Groups

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

By delegating security group maintenance to the appropriate individuals, you can ensure that requests for changes in membership are evaluated by individuals who can judge the appropriateness of the request, have the authority to make the change, and are motivated to keep group membership and access permissions correct and up-to-date.

Ideally, an employee who is familiar with the personnel, such as a department administrative assistant, is responsible for managing the membership of an account group. Because security groups in Windows Server 2003 can also be used as Microsoft® Exchange 2000 mailing lists, it is both convenient and cost-effective to have an individual maintain the account group for both purposes. This requires delegating read and write permissions for the group to the selected individual.

It is recommended that resource owners set ACLs because they are best able to supervise access to the resource. For example, the file server operator who maintains a department’s shared directories is the logical candidate to be responsible for adding resource groups to the ACLs of the shares. Similarly, the person who is responsible for departmental printers is the best choice to manage the membership of the applicable printer resource groups.