Hi folks,
Slightly off-topic here -- i.e,. related to managing Windows environments
generally, rather than just Active Directory.
I'm wondering whether any of you have seen good business processes for
managing share creation (and for that matter, deletion)?
We are working with a large multi-national where the current process by
which business users request new shares (i.e., network-attached, shared,
access-controlled disk space), and by which those requests are approved
and implemented, is pretty weak.
We are hoping to help them automate this process, but would obviously like
to lock it down first.
For example -- can any user request creation of a new share?
If not, who can/can't?
Should users specify a share name, server name and disk volume or should
these variables be calculated based on variables such as the user's
location and amount of disk space requested?
If you do let users choose, how would they know which server and
disk volume to pick?
If you automate server/share name/volume assignment, do you have
standards for things like new share names?
Do you typically apply quotas to new shares?
Do you typically over-subscribe disk? i.e., user A asks for 10GB, user B
asks for 20GB, you create 2 shares on a 25GB disk volume on the theory --
like the airlines use -- that actual usage will be less than reserved
usage.
How should a file server be assigned?
What happens if there is not already a server with adequate
disk space?
How does the server-selection process escalate to requisitioning
physical hardware?
a server and disk volume have been assigned, should someone (e.g.,
like a server owner or disk space owner) approve the request before it
is authorized?
If so, how do you assign owners/authorizers to servers?
Should requests include timeouts and renewals, such that un-renewed requests
are auto-terminated (share deleted)?
If so, do you give users advance warning and an opportunity to renew?
How do you handle cases where shares get full?
Can users ask for more space?
Do you have system monitoring software alert someone that
a given disk volume is getting full?
Do you normally setup shares as visible to all users, and manage ACLs
on NTFS, or do you also apply ACLs to the shares directly?
Do you generally ask users to define ACLs using existing AD groups, or
require the creation of new AD groups?
What scope of groups do you typically use in ACLs?
(Universal, domain global, domain local, or even server local?)
Does NAS change any of the above?
Is there anything else I should ask about? :-)
I hope to assemble some best practices from your responses, and set our
customer off in the right direction from the start.
Since this is a rather lengthy inquiry, and the results might be valuable
to everyone, I promise to summarize any and all good advice and post
back to this list in a single, legible e-mail.
Thanks!