Solved

Folder security

Posted on 2006-06-28
2
159 Views
Last Modified: 2010-04-13
Hello everyone,

I have folder that will be accessed by two groups.

First group: can make changes to the files inside the folder.
Second group can view and print only.

Should I create two security groups within AD? or just one containing the users that can make changes?

What is the best practice to accomplish this?

By the way, I'm still operating in a mix environment: win2k and win2003 servers. The DC's are Win2003 standard edition.

Thank you,

Nelson
0
Comment
Question by:Aguillon1949
2 Comments
 
LVL 7

Accepted Solution

by:
CharliePete00 earned 500 total points
ID: 17003097
Actually 4 groups is the recommended way to go and if you ever work in an environment with interforest (or NT 4) trusts this will make your life much easier.  You create Domain Global Groups based on user role and add appropriate users to them.  You create Domain Local Groups based on access to resources and grant those groups permissions to resources.  Then you add the appropriate Domain Global Groups (users) to the Domain Local Groups (resource permissions).

Users -> Domain Global Groups -> Domain Local Groups -> Resources

Let's say you have an excel spreadsheet that we will call AcountsReceivable.xls that the accounting department needs write access to but the Budgeting department should only have read access.  You would create 2 Domain Global Groups: Accounting and Budgeting; and add members of the accounting department to Accounting and budgeting to Budgeting.  You would then create 2 Domain Local Groups:  AcountsReceivableRead and AccountsReceivableWrite; then give AccountsReceivableRead read permissions to AccountsReceivable.xls and AccountsReceivableWrite write permissions to AccountsReceivable.xls.  You would the make the Budgeting Domain Global Group a member of AccountsReceivableRead Domain Local Group and the Accounting Domain Global Group a member of the AccountsReceivableWrite Domain Local Group.

Accounting Dept -> Accounting Domain Global Group -> AccountsReceivableWrite Domain Local Group -> AccountsReceivable.xls write permission

Budgeting Dept -> Budgeting Domain Global Group -> AccountsReceivableRead Domain Local Group -> AccountsReceivable.xls read permission

Now let's say corparate management wants write access to AccountsReceivable.xls.  You can make the CorpManagement Domain Global Group (creating it if necessary and adding appropriate users to the group) a member of the AccountsReceivableWrite Domain Local Group.
0
 

Author Comment

by:Aguillon1949
ID: 17003273
Excellent!!

Thank a bunch,

Nelson
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint a…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now