Solved

File and Folder access info

Posted on 2003-10-31
5
142 Views
Last Modified: 2013-12-04
Currently, our file server is totally unorganized and we are building a new file server and are working on getting the house in order.  The problem is that we dont have any tracking methods for the folder access, and the access to the folders are always being modified as diffrent people are added and removed per project folder.  Believe me, we have hundreds of these folders and offcourse subfolders, etc....

My questions - We are looking for product/s that can put expiration dates on the folder access, and offcourse have a nice gui interface.  Any product that can do what we're looking for or is close enough in the folder access would be good.

Thanks for your help!
0
Comment
Question by:yabbadabbaya
  • 2
5 Comments
 
LVL 84

Expert Comment

by:oBdA
ID: 9663126
Oh boy.
To get a view of your current access rights state, get DumpSec from Somarsoft (http://www.somarsoft.com/) and/or AccessEnum from Sysinternals (http://www.sysinternals.com/ntw2k/source/accessenum.shtml).
Then reorganize your permissions, starting from scratch. Do NOT add user accounts to any folder permissions (obvious exception: home folders).
The way to apply security settings is AGLP: *A*ccounts go into *G*lobal groups, global groups go into *L*ocal groups, *P*ermissions are assigned to local groups.
If you have a W2k domain running in native mode, you can use "Domain Local  Groups" instead of "real" local groups.
(About the only exception to this are clustered resources; for those, you should assign the rights directly to global groups.)
So for each folder that needs different rights, create an according local group on your file server. Assign the appropriate permissions to the folder to that (those) group(s). If necessary, create according global groups, make the global groups member of the local groups on your file server. Put the user accounts in the global groups.
From then on, access to the folder is controlled *only* by adding/removing users to the global groups.
Let's give you an example.
Two departments, DepA, DepB. Two Users: UserA, UserB. Two shared department folders: FolderA, FolderB. A third shared project folder C, for which UserA from DepA and UserB from DepB need Change access.
DepA needs Full access to FolderA, Read access to FolderB, DepB accordingly Full to FolderB, Read to FolderA.
You'd create 5 local groups on your file server:
L-NTFS-F-FolderA: Members have Full access to FolderA.
L-NTFS-R-FolderA: Members have Read access to FolderA.
L-NTFS-F-FolderB: Members have Full access to FolderB.
L-NTFS-R-FolderB: Members have Read access to FolderB.
L-NTFS-C-FolderC: Members have Change access to FolderC.
Assign the matching NTFS rights to the folders (with Administrators and System Full Access, of course ...)
You'll probably have your department groups set up already (for example G-DepA, G-DepB), so just make the membership like this:
G-DepA is member of L-NTFS-F-FolderA and member of L-NTFS-R-FolderB.
G-DepB is member of L-NTFS-F-FolderB and member of L-NTFS-R-FolderA.
For FolderC, you'd create a new global group, for example G-ProjectC; UserA and UserB become member of this group, the group itself obviously becomes member of L-NTFS-C-FolderC.
Expand/enhance according to your surroundings; just invest some time in developing a naming system that fits your needs.
0
 

Author Comment

by:yabbadabbaya
ID: 9736624
Although the two products listed above provide a little help, but is not really an industrial strength or commercial strenght product which can be used for coporate enviornment.  

I really need something that's built for real corporate use.  The products above may be useful for a very small firm, but is not efficient for large corporate use.

Does anyone have thoughts or ideas where I can at least start looking?
0
 
LVL 84

Accepted Solution

by:
oBdA earned 250 total points
ID: 9738080
I doubt somehow that there's a tool like that out there somewhere. Your "problem", if I may call it that, is not the existence of a GUI tool to manage NTFS permissions, it's "the access to the folders are always being modified as diffrent people are added and removed per project folder".
This is definitely the wrong approach to manage NTFS permissions. Except for few special cases, you don't "add and remove people per project folder" to NTFS ACLs to control resource access; you control resource access exclusively by adding/removing users to/from global groups as described above.
This requires investing some time in a proper folder structure and naming conventions, but once that's setup, it's quite easy to manage.
The access expiration for a folder can then easily be solved by a scheduled task that removes the user(s) from the according group.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question