Solved

Folder security

Posted on 2006-06-28
2
158 Views
Last Modified: 2010-04-13
Hello everyone,

I have folder that will be accessed by two groups.

First group: can make changes to the files inside the folder.
Second group can view and print only.

Should I create two security groups within AD? or just one containing the users that can make changes?

What is the best practice to accomplish this?

By the way, I'm still operating in a mix environment: win2k and win2003 servers. The DC's are Win2003 standard edition.

Thank you,

Nelson
0
Comment
Question by:Aguillon1949
2 Comments
 
LVL 7

Accepted Solution

by:
CharliePete00 earned 500 total points
ID: 17003097
Actually 4 groups is the recommended way to go and if you ever work in an environment with interforest (or NT 4) trusts this will make your life much easier.  You create Domain Global Groups based on user role and add appropriate users to them.  You create Domain Local Groups based on access to resources and grant those groups permissions to resources.  Then you add the appropriate Domain Global Groups (users) to the Domain Local Groups (resource permissions).

Users -> Domain Global Groups -> Domain Local Groups -> Resources

Let's say you have an excel spreadsheet that we will call AcountsReceivable.xls that the accounting department needs write access to but the Budgeting department should only have read access.  You would create 2 Domain Global Groups: Accounting and Budgeting; and add members of the accounting department to Accounting and budgeting to Budgeting.  You would then create 2 Domain Local Groups:  AcountsReceivableRead and AccountsReceivableWrite; then give AccountsReceivableRead read permissions to AccountsReceivable.xls and AccountsReceivableWrite write permissions to AccountsReceivable.xls.  You would the make the Budgeting Domain Global Group a member of AccountsReceivableRead Domain Local Group and the Accounting Domain Global Group a member of the AccountsReceivableWrite Domain Local Group.

Accounting Dept -> Accounting Domain Global Group -> AccountsReceivableWrite Domain Local Group -> AccountsReceivable.xls write permission

Budgeting Dept -> Budgeting Domain Global Group -> AccountsReceivableRead Domain Local Group -> AccountsReceivable.xls read permission

Now let's say corparate management wants write access to AccountsReceivable.xls.  You can make the CorpManagement Domain Global Group (creating it if necessary and adding appropriate users to the group) a member of the AccountsReceivableWrite Domain Local Group.
0
 

Author Comment

by:Aguillon1949
ID: 17003273
Excellent!!

Thank a bunch,

Nelson
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Why won't wireshark open my tcpdump file from linux 13 2,939
Norton Ghost for Windows NT 5 1,441
website 1 297
Windows 7 7 255
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Hyena v12.2 is now available for downloading and is available in English, French, German and Spanish versions.
This video discusses moving either the default database or any database to a new volume.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now