– Manny Vellon, chief technology officer with Likewise Software (www.likewise.com), says:

Security groups are a great way to map “roles” into entities that can be enforced by the Operating System. Maintaining a group is a lot easier than maintaining explicit user lists in various different systems. Likewise uses AD security groups in various ways to control access to machines and also individual privileges via SUDO in Linux/UNIX.

It is important, however, to try to keep things simple. We have encountered many organizations that end up with more groups than employees.

Note, however, that your initial plan will never be right. If 50% of the users in the Finance department are requesting access to another computer, there’s probably a systemic reason for their need. If you can discover what it is (perhaps it’s all the folks in Accounts Receivable) then you can turn that into a business rule that gets automatically applied whenever new employee accounts are provisioned.

Likewise frequently encounters customers who deploy UNIX and Linux machines because they want better security then completely sabotage their efforts by employing poor security practices. Running standalone authentication and logging in with privileged (root) accounts is a recipe for disaster.