Solved

File and Folder access info

Posted on 2003-10-31
5
139 Views
Last Modified: 2013-12-04
Currently, our file server is totally unorganized and we are building a new file server and are working on getting the house in order.  The problem is that we dont have any tracking methods for the folder access, and the access to the folders are always being modified as diffrent people are added and removed per project folder.  Believe me, we have hundreds of these folders and offcourse subfolders, etc....

My questions - We are looking for product/s that can put expiration dates on the folder access, and offcourse have a nice gui interface.  Any product that can do what we're looking for or is close enough in the folder access would be good.

Thanks for your help!
0
Comment
Question by:yabbadabbaya
  • 2
5 Comments
 
LVL 83

Expert Comment

by:oBdA
ID: 9663126
Oh boy.
To get a view of your current access rights state, get DumpSec from Somarsoft (http://www.somarsoft.com/) and/or AccessEnum from Sysinternals (http://www.sysinternals.com/ntw2k/source/accessenum.shtml).
Then reorganize your permissions, starting from scratch. Do NOT add user accounts to any folder permissions (obvious exception: home folders).
The way to apply security settings is AGLP: *A*ccounts go into *G*lobal groups, global groups go into *L*ocal groups, *P*ermissions are assigned to local groups.
If you have a W2k domain running in native mode, you can use "Domain Local  Groups" instead of "real" local groups.
(About the only exception to this are clustered resources; for those, you should assign the rights directly to global groups.)
So for each folder that needs different rights, create an according local group on your file server. Assign the appropriate permissions to the folder to that (those) group(s). If necessary, create according global groups, make the global groups member of the local groups on your file server. Put the user accounts in the global groups.
From then on, access to the folder is controlled *only* by adding/removing users to the global groups.
Let's give you an example.
Two departments, DepA, DepB. Two Users: UserA, UserB. Two shared department folders: FolderA, FolderB. A third shared project folder C, for which UserA from DepA and UserB from DepB need Change access.
DepA needs Full access to FolderA, Read access to FolderB, DepB accordingly Full to FolderB, Read to FolderA.
You'd create 5 local groups on your file server:
L-NTFS-F-FolderA: Members have Full access to FolderA.
L-NTFS-R-FolderA: Members have Read access to FolderA.
L-NTFS-F-FolderB: Members have Full access to FolderB.
L-NTFS-R-FolderB: Members have Read access to FolderB.
L-NTFS-C-FolderC: Members have Change access to FolderC.
Assign the matching NTFS rights to the folders (with Administrators and System Full Access, of course ...)
You'll probably have your department groups set up already (for example G-DepA, G-DepB), so just make the membership like this:
G-DepA is member of L-NTFS-F-FolderA and member of L-NTFS-R-FolderB.
G-DepB is member of L-NTFS-F-FolderB and member of L-NTFS-R-FolderA.
For FolderC, you'd create a new global group, for example G-ProjectC; UserA and UserB become member of this group, the group itself obviously becomes member of L-NTFS-C-FolderC.
Expand/enhance according to your surroundings; just invest some time in developing a naming system that fits your needs.
0
 

Author Comment

by:yabbadabbaya
ID: 9736624
Although the two products listed above provide a little help, but is not really an industrial strength or commercial strenght product which can be used for coporate enviornment.  

I really need something that's built for real corporate use.  The products above may be useful for a very small firm, but is not efficient for large corporate use.

Does anyone have thoughts or ideas where I can at least start looking?
0
 
LVL 83

Accepted Solution

by:
oBdA earned 250 total points
ID: 9738080
I doubt somehow that there's a tool like that out there somewhere. Your "problem", if I may call it that, is not the existence of a GUI tool to manage NTFS permissions, it's "the access to the folders are always being modified as diffrent people are added and removed per project folder".
This is definitely the wrong approach to manage NTFS permissions. Except for few special cases, you don't "add and remove people per project folder" to NTFS ACLs to control resource access; you control resource access exclusively by adding/removing users to/from global groups as described above.
This requires investing some time in a proper folder structure and naming conventions, but once that's setup, it's quite easy to manage.
The access expiration for a folder can then easily be solved by a scheduled task that removes the user(s) from the according group.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question