Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 167
  • Last Modified:

Folder security

Hello everyone,

I have folder that will be accessed by two groups.

First group: can make changes to the files inside the folder.
Second group can view and print only.

Should I create two security groups within AD? or just one containing the users that can make changes?

What is the best practice to accomplish this?

By the way, I'm still operating in a mix environment: win2k and win2003 servers. The DC's are Win2003 standard edition.

Thank you,

Nelson
0
Aguillon1949
Asked:
Aguillon1949
1 Solution
 
CharliePete00Commented:
Actually 4 groups is the recommended way to go and if you ever work in an environment with interforest (or NT 4) trusts this will make your life much easier.  You create Domain Global Groups based on user role and add appropriate users to them.  You create Domain Local Groups based on access to resources and grant those groups permissions to resources.  Then you add the appropriate Domain Global Groups (users) to the Domain Local Groups (resource permissions).

Users -> Domain Global Groups -> Domain Local Groups -> Resources

Let's say you have an excel spreadsheet that we will call AcountsReceivable.xls that the accounting department needs write access to but the Budgeting department should only have read access.  You would create 2 Domain Global Groups: Accounting and Budgeting; and add members of the accounting department to Accounting and budgeting to Budgeting.  You would then create 2 Domain Local Groups:  AcountsReceivableRead and AccountsReceivableWrite; then give AccountsReceivableRead read permissions to AccountsReceivable.xls and AccountsReceivableWrite write permissions to AccountsReceivable.xls.  You would the make the Budgeting Domain Global Group a member of AccountsReceivableRead Domain Local Group and the Accounting Domain Global Group a member of the AccountsReceivableWrite Domain Local Group.

Accounting Dept -> Accounting Domain Global Group -> AccountsReceivableWrite Domain Local Group -> AccountsReceivable.xls write permission

Budgeting Dept -> Budgeting Domain Global Group -> AccountsReceivableRead Domain Local Group -> AccountsReceivable.xls read permission

Now let's say corparate management wants write access to AccountsReceivable.xls.  You can make the CorpManagement Domain Global Group (creating it if necessary and adding appropriate users to the group) a member of the AccountsReceivableWrite Domain Local Group.
0
 
Aguillon1949Author Commented:
Excellent!!

Thank a bunch,

Nelson
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now