Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Simplifying win2k8 server shares and security to ease administration 1

Status
Not open for further replies.

UnknownEntity

Technical User
Jun 15, 2006
75
GB
Hi,

I'm administering a network whereby clients have a need to mask particular folders being seen by other users. This has been catered for by administrators manually editing the security and share permissions on nominated folders and scripting this in a bat file as a logon script on the new or existing user profile within active directory users and computers.

My question is that is there anyway to simply the administration of manually going into server folders and setting specific permissions and manually denying each user who is not supposed to access?

Looking for a common factor in users and classing them into a single domain local group and denying or granting access can work on a small scale but fails on larger networks 70+ users. Any ideas as how I can begin to simply this folder design?


Thanks.
 
IMHO, a larger network is not 70+.

Groups are what should be used. Never assign rights to individual users. Assign rights to groups and just add users to the correct groups. That's how it's always been recommended, going all the way back to NT. You should RARELY have to ever touch folder permissions.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Looking for a common factor in users and classing them into a single domain local group and denying or granting access can work on a small scale but fails on larger networks 70+ users. Any ideas as how I can begin to simply this folder design?

That's exactly the methodology that you would use for a company of 70,000 users.

Create a share. Create a domain group that has the same name. In the description of the group put in the path to the share. Give the group rights to the share. Then you just have to add/remove users to/from the group as needed. It is by far the simplest way to manage a large number of network shares and users.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCTS:Hyper-V
MCTS:System Center Virtual Machine Manager
MCTS:Windows Server 2008 R2, Server Virtualization
MCSE:Security 2003
MCITP:Enterprise Administrator
 
Thx for replies, I plan to finish a basic win2k8 network simulation of similar environment virtually using hyperV in next few days.

58sniper, am I correct in understanding that if a request is made from management for a new user to have read and write access to folder "A" but have deny permissions on folder "B", I would then have to create the appropriate domain local and if neccessary, global groups to reflect these restrictions? It just seems like a lot to do for a single user.

Kmcferrin, would the above methodology be used on a company under 100 users? Also by giving a group rights to a share, arent you in fact editing the share and security permissions of the folder in question? If so then I'm forced to go edit server folder permissions?

Where am I going wrong here?

Thanks Drakul.
 
You don't edit share permissions. Deal with NTFS permissions and use groups. Whether it's 100 people in the org or 100,000.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
58sniper, am I correct in understanding that if a request is made from management for a new user to have read and write access to folder "A" but have deny permissions on folder "B", I would then have to create the appropriate domain local and if neccessary, global groups to reflect these restrictions? It just seems like a lot to do for a single user.

No. Let's say you have the following folders:

FOLDER-A
FOLDER-B
FOLDER-C

Now you create three groups in AD:

FOLDER-A-GRP
FOLDER-B-GRP
FOLDER-C-GRP

You give each group full control of their respective folders. Then if a user needs access to a folder you add them to the correct group, they log out and back in to reset their access token and they're ready to go.

If you need more granularity than that you can create two groups for each folder:

FOLDER-A-GRP-READ
FOLDER-B-GRP-READ
FOLDER-C-GRP-READ
FOLDER-A-GRP-FULL
FOLDER-B-GRP-FULL
FOLDER-C-GRP-FULL

You give each "FULL" group full control of their respective folders and each "READ" group read-only access to their respective folders. If your user needs read only access they go into the "READ" group. If they need full access they go into the "FULL" group.

Not only does this make managing shares easier, it also makes it easy to look at a user object in AD and determine what shares they have access to. If you are individually adding users to shares then you have no way to know what they have access to without reviewing every share and folder on the network.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCTS:Hyper-V
MCTS:System Center Virtual Machine Manager
MCTS:Windows Server 2008 R2, Server Virtualization
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top