Лучшие практики для предоставления права различным группам на каталогах AD домена Server 2003
Смотрите на mod_auth_pam: http://pam.sourceforge.net/mod_auth_pam/ (Большинство дистрибутивов должно иметь пакет для этого, если он не включен как стандарт с апачем),
Вы все еще используете апачского основного автора, но модуль позволяет, Вы для использования локального пользователя объясняете аутентификацию, а также набор других баз данных пароля. Я повторю предупреждение на вышеупомянутом сайте: это должно использоваться в сочетании с SSL/TLS.
There are best practices like nesting global groups into domain local groups on the file server and then applying only local groups to shares and NTFS permissions, yes. This dates back to Win2000 days: Best Practices for Groups
However, like SvW commented, nowadays it really boils down to your environment, requirements, and often your own IT experience of "that's how I've always done it."
For instance, for myself I tend to always do the following:
SHARES = Domain Admins get Full, Everyone gets Read/Write
Then I lock down rights at the NTFS level of the share, based on domain local groups named appropriately. I may or may not create global groups to nest into the domain local group. I typically use domain local groups since they can have remote trusted domain groups in them, making it easier in the future in a multi-forest environment.
Sub-folders that have to break inheritance for some reason might get unique groups as well. Other times I will be lazy and simply add 2 or 3 domain users directly to a share.
Sometimes I will even create local groups directly on the server, put domain users/groups in that server local group and apply that to a share.
But YMMV, and others may not like the way I do it. My advice is to create an environment that is easy to understand, manage, and hand off to a teammate or your eventual replacement.