Solved

Folder security

Posted on 2006-06-28
2
163 Views
Last Modified: 2010-04-13
Hello everyone,

I have folder that will be accessed by two groups.

First group: can make changes to the files inside the folder.
Second group can view and print only.

Should I create two security groups within AD? or just one containing the users that can make changes?

What is the best practice to accomplish this?

By the way, I'm still operating in a mix environment: win2k and win2003 servers. The DC's are Win2003 standard edition.

Thank you,

Nelson
0
Comment
Question by:Aguillon1949
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Accepted Solution

by:
CharliePete00 earned 500 total points
ID: 17003097
Actually 4 groups is the recommended way to go and if you ever work in an environment with interforest (or NT 4) trusts this will make your life much easier.  You create Domain Global Groups based on user role and add appropriate users to them.  You create Domain Local Groups based on access to resources and grant those groups permissions to resources.  Then you add the appropriate Domain Global Groups (users) to the Domain Local Groups (resource permissions).

Users -> Domain Global Groups -> Domain Local Groups -> Resources

Let's say you have an excel spreadsheet that we will call AcountsReceivable.xls that the accounting department needs write access to but the Budgeting department should only have read access.  You would create 2 Domain Global Groups: Accounting and Budgeting; and add members of the accounting department to Accounting and budgeting to Budgeting.  You would then create 2 Domain Local Groups:  AcountsReceivableRead and AccountsReceivableWrite; then give AccountsReceivableRead read permissions to AccountsReceivable.xls and AccountsReceivableWrite write permissions to AccountsReceivable.xls.  You would the make the Budgeting Domain Global Group a member of AccountsReceivableRead Domain Local Group and the Accounting Domain Global Group a member of the AccountsReceivableWrite Domain Local Group.

Accounting Dept -> Accounting Domain Global Group -> AccountsReceivableWrite Domain Local Group -> AccountsReceivable.xls write permission

Budgeting Dept -> Budgeting Domain Global Group -> AccountsReceivableRead Domain Local Group -> AccountsReceivable.xls read permission

Now let's say corparate management wants write access to AccountsReceivable.xls.  You can make the CorpManagement Domain Global Group (creating it if necessary and adding appropriate users to the group) a member of the AccountsReceivableWrite Domain Local Group.
0
 

Author Comment

by:Aguillon1949
ID: 17003273
Excellent!!

Thank a bunch,

Nelson
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question