Solved

File and Folder access info

Posted on 2003-10-31
5
136 Views
Last Modified: 2013-12-04
Currently, our file server is totally unorganized and we are building a new file server and are working on getting the house in order.  The problem is that we dont have any tracking methods for the folder access, and the access to the folders are always being modified as diffrent people are added and removed per project folder.  Believe me, we have hundreds of these folders and offcourse subfolders, etc....

My questions - We are looking for product/s that can put expiration dates on the folder access, and offcourse have a nice gui interface.  Any product that can do what we're looking for or is close enough in the folder access would be good.

Thanks for your help!
0
Comment
Question by:yabbadabbaya
  • 2
5 Comments
 
LVL 83

Expert Comment

by:oBdA
ID: 9663126
Oh boy.
To get a view of your current access rights state, get DumpSec from Somarsoft (http://www.somarsoft.com/) and/or AccessEnum from Sysinternals (http://www.sysinternals.com/ntw2k/source/accessenum.shtml).
Then reorganize your permissions, starting from scratch. Do NOT add user accounts to any folder permissions (obvious exception: home folders).
The way to apply security settings is AGLP: *A*ccounts go into *G*lobal groups, global groups go into *L*ocal groups, *P*ermissions are assigned to local groups.
If you have a W2k domain running in native mode, you can use "Domain Local  Groups" instead of "real" local groups.
(About the only exception to this are clustered resources; for those, you should assign the rights directly to global groups.)
So for each folder that needs different rights, create an according local group on your file server. Assign the appropriate permissions to the folder to that (those) group(s). If necessary, create according global groups, make the global groups member of the local groups on your file server. Put the user accounts in the global groups.
From then on, access to the folder is controlled *only* by adding/removing users to the global groups.
Let's give you an example.
Two departments, DepA, DepB. Two Users: UserA, UserB. Two shared department folders: FolderA, FolderB. A third shared project folder C, for which UserA from DepA and UserB from DepB need Change access.
DepA needs Full access to FolderA, Read access to FolderB, DepB accordingly Full to FolderB, Read to FolderA.
You'd create 5 local groups on your file server:
L-NTFS-F-FolderA: Members have Full access to FolderA.
L-NTFS-R-FolderA: Members have Read access to FolderA.
L-NTFS-F-FolderB: Members have Full access to FolderB.
L-NTFS-R-FolderB: Members have Read access to FolderB.
L-NTFS-C-FolderC: Members have Change access to FolderC.
Assign the matching NTFS rights to the folders (with Administrators and System Full Access, of course ...)
You'll probably have your department groups set up already (for example G-DepA, G-DepB), so just make the membership like this:
G-DepA is member of L-NTFS-F-FolderA and member of L-NTFS-R-FolderB.
G-DepB is member of L-NTFS-F-FolderB and member of L-NTFS-R-FolderA.
For FolderC, you'd create a new global group, for example G-ProjectC; UserA and UserB become member of this group, the group itself obviously becomes member of L-NTFS-C-FolderC.
Expand/enhance according to your surroundings; just invest some time in developing a naming system that fits your needs.
0
 

Author Comment

by:yabbadabbaya
ID: 9736624
Although the two products listed above provide a little help, but is not really an industrial strength or commercial strenght product which can be used for coporate enviornment.  

I really need something that's built for real corporate use.  The products above may be useful for a very small firm, but is not efficient for large corporate use.

Does anyone have thoughts or ideas where I can at least start looking?
0
 
LVL 83

Accepted Solution

by:
oBdA earned 250 total points
ID: 9738080
I doubt somehow that there's a tool like that out there somewhere. Your "problem", if I may call it that, is not the existence of a GUI tool to manage NTFS permissions, it's "the access to the folders are always being modified as diffrent people are added and removed per project folder".
This is definitely the wrong approach to manage NTFS permissions. Except for few special cases, you don't "add and remove people per project folder" to NTFS ACLs to control resource access; you control resource access exclusively by adding/removing users to/from global groups as described above.
This requires investing some time in a proper folder structure and naming conventions, but once that's setup, it's quite easy to manage.
The access expiration for a folder can then easily be solved by a scheduled task that removes the user(s) from the according group.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
OfficeMate Freezes on login or does not load after login credentials are input.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now