Defining a Security Group Naming Policy

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Establishing a forest-wide or enterprise-wide naming convention for security groups helps to ensure that secure access control in your organization is not compromised. Without a universal naming convention, the potential for user error when adding or removing members and selecting the correct group increases substantially.

For example, when adding or removing members to groups, users select from a list of all groups in the forest, but cannot view information about the groups, such as membership or scope. Groups with similar or cryptic names might be selected accidentally. The consequences of granting access to the wrong group can be serious, causing members to have access to restricted resources or to be denied access to resources that are necessary for job tasks.

When establishing a security group naming convention for your organization, ensure that it does the following:

  • Provides for the inclusion of information about the group’s scope, purpose, and owner in its name and its description. This helps to differentiate each group from similar groups.

  • Conforms to a hierarchy of standard labels to be used in a fixed order, beginning with the most general labels and ending with the most specific labels. This allows group names to be sorted alphabetically into an organized list.

In addition, consider the following when creating group names and descriptions:

  • Both the name and description of a security group can include up to 256 characters.

  • The first 20 characters of the name are usually visible in a list of security groups without resizing columns and scrolling. When viewing the Properties dialog box of the group, about 50 characters of the group name are viewable. You might want to abbreviate the organizational labels used in the group name to ensure that the distinguishing portion of the group name can be viewed in these environments.

You can apply any naming strategy that works for your organization, as long as group names provide enough information to distinguish them from other groups. A common approach is to create a security group naming standard that organizes groups according to the business structure of your organization. In this way, group names are composed of labels that represent your company’s organization, such as division, department, team, and task.

Without descriptive labels, it is possible to create confusing group names. Three divisions, for example, might have similar group names for their sales groups. If someone searches for the sales group, it is difficult to know if "Sales," "Sales Group," or "AllSales" is the correct group. Adding more organizationally descriptive labels can take time and planning, but user group searches and rights assignments are more accurate as a result.

These labels are placed in order from most general to most specific, with the final label reflecting the purpose or content of the group, thus distinguishing the group name from similar names. For example, the following three group names represent different sales teams within the Avionics Division Sales Department of a corporation:

  • Avionics Sales GovtContracts

  • Avionics Sales RetailSales

  • Avionics Sales TeleSales

Some organizations are based on domain membership. The following are examples of typical group names, where "Con" represents a domain in the fictional company "Contoso."

  • Con-Sales-Clerical-Users

  • Con-Sales-Mgmt-Users

  • Con-Support-HelpDesk-Users

  • Con-Support-HelpDesk-Resources

  • Con-Support-Shipping-Users

Some organizations are based on geographical location. The following group names might represent printer resources in the Boston and Seattle remote offices:

  • BOS-Printers-Floor3-Laser

  • BOS-Printers-Floor3-Color

  • SEA-Printers-Reception-Laser

  • SEA-Printers-Lab-LargeFormat

An organized system for naming groups makes it easy to locate the correct security group, and helps protect against duplicate naming. Users can search for related groups by entering the first few letters of the group name in the Select Users, Contacts, Computers or Groups dialog box. For example, they can filter the list for "Avionics Sales" groups.

The list of group names in the Select Users, Contacts, Computers or Groups dialog box also displays each group’s description string. This added field can be used to include other attributes of the group, such as the group scope, the name of the person who maintains the group, and a brief statement of the group’s purpose. The following are examples of group descriptions:

  • Avionics Support HelpDesk Resources: Domain local resource group for help desk resource ACLs, maintained by Bjones x2344.

  • Avionics HumanRes AllUsers: Global account group of all human resources user accounts, maintained by Ssmith x9488.

Important

  • Windows Server 2003 does not provide any software support for enforcing a naming standard. Establish your naming policy and communicate it to all employees in your organization who have been delegated the right to create security groups.