Results 1 to 4 of 4
  1. #1
    New Lounger
    Join Date
    Nov 2011
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Help With Windows 2008 Share and NTFS Permissions

    I am having trouble with permissions on my new 2008 server. Consider the following file structure:

    D:\
    - Departments
    - Engineering
    - IT
    - Accounting
    - Capital Projects
    - Systems
    - Financials
    - Ledgers


    I would like to provide access to the the Engineering directory for the Engineering group (group created in Active Directory Users and Computers). I would also like this department to view the Capital Projects folder in the Accounting folder. The same applies to the IT deptarment and Systems folder in the Accounting folder. I would like the Accounting group to have access to the full directory of accounting with exception of the Financials folder which should be accesible by the CEO and CFO. I would also like to be able to use Access Based Enuration so that the folders that users do not have access to are not visible to them.

    The only way I have been able to find so far is to give the users full share permissions on d:\departments, and NTFS Security Read, Write, List Folder contents on the departments they need to see, then on each folder I don't want them to see, deny them all rights. This is obviously tedious and does not help when a new folder is created.

    Can anyone provide help with this?

    Mike
    Last edited by mchamp; 2011-11-15 at 07:44.

  2. Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    Excel 2013: The Missing Manual

    + Get this BONUS — free!

    Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!

  3. #2
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Milwaukee, WI
    Posts
    737
    Thanks
    23
    Thanked 63 Times in 51 Posts
    Actually, you pretty much have it right. MS best practice is to give Everyone Full Control at the share level, then at the NTFS level remove all users and groups, then add only the groups/users you want to have access. To give someone access to a directory under the share, but nothing else, you have to add them to that specific directory. It is tedious, but that's how granular control works. Nobody ever said that security was easy. Even back in the days of NetWare. We have a lot of these situations where I work. In large organizations, maintaining this can be 50% or more of someone's job. In smaller shops like yours, once you set it up, its done. Until a VP wants access to something he/she didn't before...
    Last edited by Doc Brown; 2011-11-15 at 08:39.
    Chuck

  4. #3
    Platinum Lounger
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    3,616
    Thanks
    7
    Thanked 231 Times in 219 Posts
    Try to keep the structure flat as it's less work for you.
    Get the users to manage the group membership and therefore the access. Add someone as manager of the group and they can add or remove users. Adding a second user as manager requires giving them the special permission "write members". Put the manager(s) names in the group description so you can tell at a glance who is the manager.
    Never give individuals NTFS folder permission, stick to groups.

    cheers, Paul

  5. #4
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Milwaukee, WI
    Posts
    737
    Thanks
    23
    Thanked 63 Times in 51 Posts
    Quote Originally Posted by Paul T View Post
    Try to keep the structure flat as it's less work for you.
    Get the users to manage the group membership and therefore the access. Add someone as manager of the group and they can add or remove users. Adding a second user as manager requires giving them the special permission "write members". Put the manager(s) names in the group description so you can tell at a glance who is the manager.
    Never give individuals NTFS folder permission, stick to groups.

    cheers, Paul
    What Paul said. All good advice and best practice methodology. Just be careful about who gets the ability to manage directory permissions. That can back fire with ugly results. I've only seen delegation done once or twice over the years and that was only because of managers that were control freaks. You know, the same ones that won't let their underlings call the help desk on their own.
    Chuck

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •