Best practice : Groups
We have a finance software package that will be sitting on a 2008 R2 box connected to our Active Directory.
It uses two Windows groups to assign appropriate security rights (The database is SQL so the groups are effectively added as SQL users to assign the rights as required).
Now the members of the groups are pulled from Active Directory as it is just the Finance staff normal login accounts, but is it best practice to place the actual groups in the Active Directory or just have them on the Finance server since that is the only software that will be using the groups?
Hope this makes some form of sense!
I think he answer is, it depends.
Which is more likely in your environment?
a) the service and data need to be migrated to a new server
b) the server, service and data need to be migrated to a new domain
if a) then Universal Groups from AD
if b) the put the Universal groups from AD into groups local to the SQL server SAM.