fpbear

I have come across this interesting architectural dilemma.

We have corporate users who logon to a mission critical application using domain accounts, with their data areas locked down so that only their AD group/SID can access these files. The application can have life/death consequences so many of the users don't trust cached credentials (some of them have been locked out by accident due to restrictive domain policies and accidental password attempts, domain admin mistakes, etc). Therefore as an emergency feature the users also want to have their same accounts coexist as local accounts.

One of our architects has suggested creating local groups, nesting the corresponding domain group in each one, and adding both the built-in and domain groups to the filesystem ACLs in the GPO administrative template. The application would perform its role checking against the local group.

Does this suggestion make sense

p.s. Security-wise, it is more important for the users to have an emegency access option to their data than the implications of unmanaged local policies.