Folder security

Hello everyone,

I have folder that will be accessed by two groups.

First group: can make changes to the files inside the folder.
Second group can view and print only.

Should I create two security groups within AD? or just one containing the users that can make changes?

What is the best practice to accomplish this?

By the way, I'm still operating in a mix environment: win2k and win2003 servers. The DC's are Win2003 standard edition.

Thank you,

Who is Participating?
CharliePete00Connect With a Mentor Commented:
Actually 4 groups is the recommended way to go and if you ever work in an environment with interforest (or NT 4) trusts this will make your life much easier.  You create Domain Global Groups based on user role and add appropriate users to them.  You create Domain Local Groups based on access to resources and grant those groups permissions to resources.  Then you add the appropriate Domain Global Groups (users) to the Domain Local Groups (resource permissions).

Users -> Domain Global Groups -> Domain Local Groups -> Resources

Let's say you have an excel spreadsheet that we will call AcountsReceivable.xls that the accounting department needs write access to but the Budgeting department should only have read access.  You would create 2 Domain Global Groups: Accounting and Budgeting; and add members of the accounting department to Accounting and budgeting to Budgeting.  You would then create 2 Domain Local Groups:  AcountsReceivableRead and AccountsReceivableWrite; then give AccountsReceivableRead read permissions to AccountsReceivable.xls and AccountsReceivableWrite write permissions to AccountsReceivable.xls.  You would the make the Budgeting Domain Global Group a member of AccountsReceivableRead Domain Local Group and the Accounting Domain Global Group a member of the AccountsReceivableWrite Domain Local Group.

Accounting Dept -> Accounting Domain Global Group -> AccountsReceivableWrite Domain Local Group -> AccountsReceivable.xls write permission

Budgeting Dept -> Budgeting Domain Global Group -> AccountsReceivableRead Domain Local Group -> AccountsReceivable.xls read permission

Now let's say corparate management wants write access to AccountsReceivable.xls.  You can make the CorpManagement Domain Global Group (creating it if necessary and adding appropriate users to the group) a member of the AccountsReceivableWrite Domain Local Group.
Aguillon1949Author Commented:

Thank a bunch,

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.