Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

File and Folder access info

Posted on 2003-10-31
5
Medium Priority
?
160 Views
Last Modified: 2013-12-04
Currently, our file server is totally unorganized and we are building a new file server and are working on getting the house in order.  The problem is that we dont have any tracking methods for the folder access, and the access to the folders are always being modified as diffrent people are added and removed per project folder.  Believe me, we have hundreds of these folders and offcourse subfolders, etc....

My questions - We are looking for product/s that can put expiration dates on the folder access, and offcourse have a nice gui interface.  Any product that can do what we're looking for or is close enough in the folder access would be good.

Thanks for your help!
0
Comment
Question by:yabbadabbaya
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 85

Expert Comment

by:oBdA
ID: 9663126
Oh boy.
To get a view of your current access rights state, get DumpSec from Somarsoft (http://www.somarsoft.com/) and/or AccessEnum from Sysinternals (http://www.sysinternals.com/ntw2k/source/accessenum.shtml).
Then reorganize your permissions, starting from scratch. Do NOT add user accounts to any folder permissions (obvious exception: home folders).
The way to apply security settings is AGLP: *A*ccounts go into *G*lobal groups, global groups go into *L*ocal groups, *P*ermissions are assigned to local groups.
If you have a W2k domain running in native mode, you can use "Domain Local  Groups" instead of "real" local groups.
(About the only exception to this are clustered resources; for those, you should assign the rights directly to global groups.)
So for each folder that needs different rights, create an according local group on your file server. Assign the appropriate permissions to the folder to that (those) group(s). If necessary, create according global groups, make the global groups member of the local groups on your file server. Put the user accounts in the global groups.
From then on, access to the folder is controlled *only* by adding/removing users to the global groups.
Let's give you an example.
Two departments, DepA, DepB. Two Users: UserA, UserB. Two shared department folders: FolderA, FolderB. A third shared project folder C, for which UserA from DepA and UserB from DepB need Change access.
DepA needs Full access to FolderA, Read access to FolderB, DepB accordingly Full to FolderB, Read to FolderA.
You'd create 5 local groups on your file server:
L-NTFS-F-FolderA: Members have Full access to FolderA.
L-NTFS-R-FolderA: Members have Read access to FolderA.
L-NTFS-F-FolderB: Members have Full access to FolderB.
L-NTFS-R-FolderB: Members have Read access to FolderB.
L-NTFS-C-FolderC: Members have Change access to FolderC.
Assign the matching NTFS rights to the folders (with Administrators and System Full Access, of course ...)
You'll probably have your department groups set up already (for example G-DepA, G-DepB), so just make the membership like this:
G-DepA is member of L-NTFS-F-FolderA and member of L-NTFS-R-FolderB.
G-DepB is member of L-NTFS-F-FolderB and member of L-NTFS-R-FolderA.
For FolderC, you'd create a new global group, for example G-ProjectC; UserA and UserB become member of this group, the group itself obviously becomes member of L-NTFS-C-FolderC.
Expand/enhance according to your surroundings; just invest some time in developing a naming system that fits your needs.
0
 

Author Comment

by:yabbadabbaya
ID: 9736624
Although the two products listed above provide a little help, but is not really an industrial strength or commercial strenght product which can be used for coporate enviornment.  

I really need something that's built for real corporate use.  The products above may be useful for a very small firm, but is not efficient for large corporate use.

Does anyone have thoughts or ideas where I can at least start looking?
0
 
LVL 85

Accepted Solution

by:
oBdA earned 1000 total points
ID: 9738080
I doubt somehow that there's a tool like that out there somewhere. Your "problem", if I may call it that, is not the existence of a GUI tool to manage NTFS permissions, it's "the access to the folders are always being modified as diffrent people are added and removed per project folder".
This is definitely the wrong approach to manage NTFS permissions. Except for few special cases, you don't "add and remove people per project folder" to NTFS ACLs to control resource access; you control resource access exclusively by adding/removing users to/from global groups as described above.
This requires investing some time in a proper folder structure and naming conventions, but once that's setup, it's quite easy to manage.
The access expiration for a folder can then easily be solved by a scheduled task that removes the user(s) from the according group.
0

Featured Post

Protect Your Retail Business and Reputation

Wi-Fi access doesn't just impact your business & customer experience, it can also affect your security.  Join us for an informative webinar to learn more about the top threats and trends impacting retail today, and the key solutions to protecting retail networks and reputations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
OfficeMate Freezes on login or does not load after login credentials are input.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question