Help With Windows 2008 Share and NTFS Permissions

Topic

New Reply

I am having trouble with permissions on my new 2008 server. Consider the following file structure:

D:
– Departments
[INDENT]- Engineering[/INDENT]
[INDENT]- IT[/INDENT]
[INDENT]- Accounting[/INDENT]
[INDENT][INDENT]- Capital Projects[/INDENT][/INDENT]
[INDENT][INDENT]- Systems[/INDENT][/INDENT]
[INDENT][INDENT]- Financials[/INDENT][/INDENT]
[INDENT][INDENT]- Ledgers[/INDENT][/INDENT]

I would like to provide access to the the Engineering directory for the Engineering group (group created in Active Directory Users and Computers). I would also like this department to view the Capital Projects folder in the Accounting folder. The same applies to the IT deptarment and Systems folder in the Accounting folder. I would like the Accounting group to have access to the full directory of accounting with exception of the Financials folder which should be accesible by the CEO and CFO. I would also like to be able to use Access Based Enuration so that the folders that users do not have access to are not visible to them.

The only way I have been able to find so far is to give the users full share permissions on d:departments, and NTFS Security Read, Write, List Folder contents on the departments they need to see, then on each folder I don’t want them to see, deny them all rights. This is obviously tedious and does not help when a new folder is created.

Can anyone provide help with this?

Mike

Reply | Quote

Replies

Actually, you pretty much have it right. MS best practice is to give Everyone Full Control at the share level, then at the NTFS level remove all users and groups, then add only the groups/users you want to have access. To give someone access to a directory under the share, but nothing else, you have to add them to that specific directory. It is tedious, but that’s how granular control works. Nobody ever said that security was easy. Even back in the days of NetWare. We have a lot of these situations where I work. In large organizations, maintaining this can be 50% or more of someone’s job. In smaller shops like yours, once you set it up, its done. Until a VP wants access to something he/she didn’t before…

Reply | Quote

Try to keep the structure flat as it’s less work for you.
Get the users to manage the group membership and therefore the access. Add someone as manager of the group and they can add or remove users. Adding a second user as manager requires giving them the special permission “write members”. Put the manager(s) names in the group description so you can tell at a glance who is the manager.
Never give individuals NTFS folder permission, stick to groups.

cheers, Paul

Reply | Quote

Try to keep the structure flat as it’s less work for you.
Get the users to manage the group membership and therefore the access. Add someone as manager of the group and they can add or remove users. Adding a second user as manager requires giving them the special permission “write members”. Put the manager(s) names in the group description so you can tell at a glance who is the manager.
Never give individuals NTFS folder permission, stick to groups.

cheers, Paul

What Paul said. All good advice and best practice methodology. Just be careful about who gets the ability to manage directory permissions. That can back fire with ugly results. I’ve only seen delegation done once or twice over the years and that was only because of managers that were control freaks. You know, the same ones that won’t let their underlings call the help desk on their own.

Reply | Quote