best practice directory access control

[computerjock33]

You will probably see several questions from me as we move from netware edirectory to Microsoft AD, my latest questions is in regards to the best practice of assigning rights to directories/shares. I have a handful of directories setup as shares and then a ton of subdirectories under each. I need to assign proper rights to each of the subdirectories depending on groups users belong to. Ive found that I can simply deny write to the groups that dont need to write to them, but doesnt seem to be best practice from reading. Any advice? I hate to setup each subdirectory as a share as that would become an admin nightmare. thank you for any suggestions

 

[IllogicallyLogical]

When combining NTFS with Share permissions, the most restrictive permissions between the two will prevail. This being said, the best way to set up access to Shares is to give 'Everyone' Full Control Share permissions and then control access with NTFS permissions (be sure to remove 'Everyone' from the Security tab of the folder). This will make troubleshooting access to shares much easier if a problem arises. Here is some reading that will offer some advice for recommended practices for setting up permissions.

- Planning Access to Shared Folders

http://technet2.microsoft.com/windo...e891-4107-aa2e-9d180428055d1033.mspx?mfr=true

- Permissions on a file server

http://technet2.microsoft.com/windo...3f74-412f-abb8-c8b22b07257d1033.mspx?mfr=true

- How Permissions Work

http://technet2.microsoft.com/windo...5a2e-4001-b659-0c23c90f76f61033.mspx?mfr=true

- How IT works: NTFS Permissions

http://www.microsoft.com/technet/technetmag/issues/2005/11/HowITWorksNTFS/

- How IT works: NTFS Permissions, Part 2

http://www.microsoft.com/technet/technetmag/issues/2006/01/HowITWorksNTFS/

If you want to control access to subdirectories you could just remove the specific group from the Security tab. Or you could remove the inherited permissions from the folder and add only the groups you want to have access as was the case here: thread931-1397619.



Joey
CCNA, MCP, A+, Network+, Wireless#

 

[computerjock33]

I will definitely check out the links.........thank you. so using the deny ntfs rights is not that uncommon?

 

[IllogicallyLogical]

Here is what the first link says about denying access:

You do not need to deny permissions for specific groups. When permission to perform an operation is not explicitly granted, it is implicitly denied. For example, if you allow the Marketing group, and only the Marketing group, permission to access a shared folder, users who are not members of the Marketing group are implicitly denied access. The operating system does not allow users who are not members of the Marketing group to access the folder.

Deny access to folders only in the following scenarios:

• You want to exclude a subset of a group (for example, an individual user) that has permissions.

• You want to exclude one or more special permissions when you have already granted Full Control to a user or group.

Joey
CCNA, MCP, A+, Network+, Wireless#

 

[computerjock33]

ok, lets say I have a directory called Accounting with 100 or so sub directories. A group called accounting has full rights to the Accounting directory and all subdirectories.
However there are several subdirectories under accounting that everyone can see and several that everyone cant see. How do I keep "everyone" from seeing all the directories under accounting and let 'everyone' see the ones they are supposed to? If I deny "everyone" on the folders that they dont need to see, then the accounting folks wont be able to see them either because they are in the everyone group as well. thanks again

 

[computerjock33]

or even simpler: Shared Directory is accounting, with subdirectory of month end, year end, test. I create a user called test and give him R shared permission on accounting, and ntfs security of R&E,List, and R. Then I give Test Full rights on the subdirectory test. But I am unable to create a new folder in test while logged into test. Looks like he would have R on all directories and RW on the test........I know im missing something simple
thanks

 

[Davetoo]

Don't use the "everyone" group for anything, instead use Authenticated Users, tightens it up a bit for you.

In your scenario you would give Accounting full access to the main folder and then by default all subfolders. If there's a subset of Accounting that you don't want to have access to certain subfolders, put them in their own group and then deny them access to those folders, using the deny method.

Personally, I don't like using deny's, complicates things. Instead, I'd create a subset of the Accounting group that needs permission to some of the subfolders, and grant them access to those folders only on the security level. The full Accounting group will still see the folders, but they won't be able to access them.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[computerjock33]

wow, so in my move from nds to ad I will need to creat a subgroup containing members that are not of my group, for each group I have in nds? that could become an administrative nightmare. thanks for the advice, maybe I will have a creative brainstorm in the middle of this.

 

[LawnBoy]

computerjock33 -
Egad, I'm doing the exact same thing, converting from NW 6.5 to AD. This is a nightmare.

"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[Davetoo]

Every group is a subset of another by default, so I don't see why it's an administrative nightmare in any way. Different? Sure, but just like I'd hate to have to go to NDS from AD.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[LawnBoy]

How do you keep track of the exceptions? By naming convention only?

For instance, in your Accounting scenario, what do you call the subset? Accounting1, accounting2, etc ?

I can see many many groups needed, how do I keep track of what group has what permissions?

Not trying to be antagonistic, just trying to figure out how to organize this. This is very different from what I'm used to.


"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[Davetoo]

It's just something you'll have to sort out yourself. What I do is put a description in when I create the group.

Your other logical solution is not to nest folders within shares that those with access to the share shouldn't have access to. So honestly, by nesting them like that, you're creating your own beast. Create separate shares for each group.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[LawnBoy]

The problem I have is that each group in hierarchical. For example: Accounting group has 10 people. The manager gets full access to all 10 of Accounting's home folders. Regular accountants get access to a common folder and their own home. Temps get access to their home only. Accounts payable and accounts receivable have read-only to each other's home.

And similar situations for Administration, Engineering, Building Services, Operations, Maintenance, etc.

When I'm through building this it's going to be turned over to the Help Desk to manage. I need to insure that they can easily tell which groups a new user should belong to.

Organizational advice would be most appreciated.


"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[computerjock33]

If I create a share for each subdirectory rather than nesting.......I will have hundreds of shares, will this affect performance?
Accounting (share)
Month end (subdirectory)
Year end (subdirectory)
life end (subdirectory)
ok, I have user test who has read share permission and read &Ex ntfs permissions on accounting. This lets him view the three subdirectories. Now, If I want him to be able to modify files in the life end subdirectory, it seems that I could give him ntfs permissions of modify on that directory and all is good. not the case. Im missing something, just not sure what it is.
thanks for overlooking our ignorance and for all the help

 

[LawnBoy]

Sorry, cj, didn't mean to hijack your thread.


"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[computerjock33]

no problem lawnboy, am glad to share if we can both get a good resolution

 

[computerjock33]

ok, I hate to answer my own topic but apparently if to solve the above, I have to give test full rights to all the directories and then deny write to the two he needs to Read Only. Is there an alternative solution without using the deny? I still dont understand why the original (above) solution doesnt work.

 

[LawnBoy]

CJ33,

I have just heard about Access-Based Enumeration. This looks like it'll help a bunch. Take a look:

http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx

"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[computerjock33]

Lawnboy
im just getting back to this project, I got volunteered for a network infostructure project........did you make any progress on the organization of rights to your directories?