On 30 November 2010 09:03, Christopher Chan <christopher.chan at bradbury.edu.hk> wrote: > On Monday, November 29, 2010 11:58 PM, aurfalien at gmail.com wrote: > >>>> You end up with a zillion groups - which is >>>> pointless and unmaintainable. Thank goodness for ACL support and >>>> setfacl/getfacl. >>> >>> So what do you do when you have user-specific ACLs splattered randomly >>> through the filesystem and the members of the cooperating groups >>> change? >> >> Perhaps consult with Winblows AD admins as I'm sure they deal with >> this all the time. >> >> MS$ ACLs have been around for a very long time. >> > > Heh. So we have been reduced to asking Windows admins how to implement > best current practice. I wouldn't... In my experience what you have in most AD environments is a mess...