Link to home
Start Free TrialLog in
Avatar of yabbadabbaya
yabbadabbaya

asked on

File and Folder access info

Currently, our file server is totally unorganized and we are building a new file server and are working on getting the house in order.  The problem is that we dont have any tracking methods for the folder access, and the access to the folders are always being modified as diffrent people are added and removed per project folder.  Believe me, we have hundreds of these folders and offcourse subfolders, etc....

My questions - We are looking for product/s that can put expiration dates on the folder access, and offcourse have a nice gui interface.  Any product that can do what we're looking for or is close enough in the folder access would be good.

Thanks for your help!
Avatar of oBdA
oBdA
Oh boy.
To get a view of your current access rights state, get DumpSec from Somarsoft (http://www.somarsoft.com/) and/or AccessEnum from Sysinternals (http://www.sysinternals.com/ntw2k/source/accessenum.shtml).
Then reorganize your permissions, starting from scratch. Do NOT add user accounts to any folder permissions (obvious exception: home folders).
The way to apply security settings is AGLP: *A*ccounts go into *G*lobal groups, global groups go into *L*ocal groups, *P*ermissions are assigned to local groups.
If you have a W2k domain running in native mode, you can use "Domain Local  Groups" instead of "real" local groups.
(About the only exception to this are clustered resources; for those, you should assign the rights directly to global groups.)
So for each folder that needs different rights, create an according local group on your file server. Assign the appropriate permissions to the folder to that (those) group(s). If necessary, create according global groups, make the global groups member of the local groups on your file server. Put the user accounts in the global groups.
From then on, access to the folder is controlled *only* by adding/removing users to the global groups.
Let's give you an example.
Two departments, DepA, DepB. Two Users: UserA, UserB. Two shared department folders: FolderA, FolderB. A third shared project folder C, for which UserA from DepA and UserB from DepB need Change access.
DepA needs Full access to FolderA, Read access to FolderB, DepB accordingly Full to FolderB, Read to FolderA.
You'd create 5 local groups on your file server:
L-NTFS-F-FolderA: Members have Full access to FolderA.
L-NTFS-R-FolderA: Members have Read access to FolderA.
L-NTFS-F-FolderB: Members have Full access to FolderB.
L-NTFS-R-FolderB: Members have Read access to FolderB.
L-NTFS-C-FolderC: Members have Change access to FolderC.
Assign the matching NTFS rights to the folders (with Administrators and System Full Access, of course ...)
You'll probably have your department groups set up already (for example G-DepA, G-DepB), so just make the membership like this:
G-DepA is member of L-NTFS-F-FolderA and member of L-NTFS-R-FolderB.
G-DepB is member of L-NTFS-F-FolderB and member of L-NTFS-R-FolderA.
For FolderC, you'd create a new global group, for example G-ProjectC; UserA and UserB become member of this group, the group itself obviously becomes member of L-NTFS-C-FolderC.
Expand/enhance according to your surroundings; just invest some time in developing a naming system that fits your needs.
Avatar of yabbadabbaya
yabbadabbaya

ASKER

Although the two products listed above provide a little help, but is not really an industrial strength or commercial strenght product which can be used for coporate enviornment.  

I really need something that's built for real corporate use.  The products above may be useful for a very small firm, but is not efficient for large corporate use.

Does anyone have thoughts or ideas where I can at least start looking?
ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial