Microsoft NTFS permissions

I know there are similar posts and I've read through a bunch but didn't find exactly what I was looking for.  

We are going through a Novell to Microsoft conversion and we are beginning the file server phase.  I think I have a good handle on this but I want to be sure, I don't want to restructure again in a year.   During this phase we are cleaning up and reconfiguring our folder structure.  We are also looking to implement DFS for replication.  I'll do my best to explain what we are looking to do.

This will be a Single Domain with Multiple locations.

Being a new structure my boss wants a top level folder to contain everything for this site and then breaking down more granular as it goes.  This is where I am getting a bit lost as I drill down the structure.  I dont ever want to leave ADUC to do any managing.  

Following is and example of the structure with the groups and permissions.   *note* The President, VP, Cabinet, Congress, and shared folders are not inheriting from the parent.

D:\Shared                   <-----This is my shared folder
          -oursite                    - has oursite-r and oursite-rw DL's
               -President                oursite_president-r and oursite_president-rw      DL's
               -Vice President        oursite_vicepresident-r and oursite_vicepresident-rw      DL's
               -Cabinet                   oursite_cabinet-r and oursite_cabinet -rw   DL's
               -Congress               oursite_Congresst-r and oursite_Congress -rw   DL's
                        -Senate    oursite_congress_Senate-r and rw DLs
                        - House    oursite_congress_Senate-r and rw DLs
                -Shared                 oursite_shared-r and oursite_shared-rw DL's


Starting from top down we want the top groups to have RW permissions for all the lower directories.  Exp.  President has rw to their folder, VP, Cabinet, Congress, and Shared.  The VP cannot access the President but has RW to cabinet and congress for their areas and R to the rest of the areas, exept shared. Also within Congress we want the Senate to be able to have RW to their folder but only read to Congress, and vice versa.

I have created the following global groups: President, VP-stuff, VP-other stuff, Cabinet_junk, Cabinet_junk2, Cabinet_things, Cabinet_things2, Senate, House, Shared_item1, Shared_item2, Shared_Metrics.

The GG called President should be easiest, member of the RW DL groups VP, Cabinet, Congress, etc.  For the VPs this is what I was thinking.  
Have a GG called site_all, all members of the site are in this group.  This GG is a member of the DL_oursite-r group.  
GG_VP_stuff is a member of DL_VP-r.  Then it is a member of DL_VP_stuff-rw, DL_VP_otherstuff-r,
(access to congress) GG_VP_stuff is a member of DL_Congress-r, DL_Congress_Senate-r, DL_Congress_House-rw

So now for my questions.

1.)  Is this the best method or is there something I should change.  

2.)  I think I would always want to create at least 2 DL groups for every top level resource, one for R and one for RW.  I dont want to have to touch NTFS settings again.  Would this be a good strategy?  

3.) This question is at the shared folders&I will be allowing Domain users Read only access to this folder via DL_oursite-r group then then adding domain users to the DL_oursite_shared-r group.  

If I create a folder called metrics that people need both r and rw access to it.  Should I create 2 GG to go along with the DLs.  The groups would be named:  DL_oursite_shared_metrics-r, GG_oursite_shared_metrics-r, then rw for each.  The GG would be nested in the DL and the people would be assigned appropriately?  
Most shared folders will be RW so I would imagine Ill just Create one global group at that time then add a R group if needed.  

I hope I was clear enough without being to confusing.
Who is Participating?
innovationsquaredConnect With a Mentor Commented:
1. Your structure looks fine.  You are following what I call folder oriented permissions, and I'm sure I'm not the first one to think of that.  We have several small clients that use this method, although in larger organizations we prefer to use a department oriented method.

2. With only two groups per resource, one read/write and one read only, yes I'd make them all ahead of time.

3. Not quite sure I understand the exact question here, but I'll give what I think is some clarification.  The D:\Shared and D:\Shared\Sites folders should have at least read only for all domain users so they can access the folders below.  The D:\Shared\Sites\Oursite folder looks right, you're granting R or RW access to users at Oursite, although at this level maybe only the read only group is needed, as you probably don't want users creating folder here anyway.  The D:\Shared\Sites\Oursite\Shared also looks fine, it should be treated just like the other resource level folders like President, Cabinet, etc.  Folders below D:\Shared\Sites\Oursite\Shared can be treated similarly with groups being defined as you stated.  I have not tried it, but placing the GG inside the DL should grant them the needed permissions to get to the D:\Shared\Sites\Oursite\Shared so they can access the folders below.

A suggestion, whatever you do, you should create some documentation detailing the groups and permissions created to reference later if needed.  No matter how well we think we designed it and how simple it is, we all forget what we did 2-3 years later when some executive wants to know who has access to what files.
FLPeopleAuthor Commented:
I wrote up the questions in word and copied it over.  I should have previewed the post.  Question 3 is actually underneath, I was trying to lay the groundwork above.  
If I create a folder called metrics in D:\shared\sites\shared\   would it be good practice to create the following groups:  
Assign the DL's to the resource then put the R gg in the R dl and the RW gg in the RW DL?  I know that folder will need both read and read write access.   Or is there a better way to create the global groups?

As for most other folders that will be read write I think I will just create a Global Group for RW  and add a R GG if needed later.  

 I'd like to flatten the structure a little bit which would make the group names better but I want the group names to better reflect the resource so it makes sense when we are finding where a user has access.  Right now our Novell environment is a mess.

The reason for the hierachy is the top shared folder is our DFS target folder.  We have other namespace folders at that level, than at the site level is where all our sites will be, these folders will all be replicated.  Also we found  the access based enumeration does not work correctly unless the structure is at least a level below the target folder.

Everything you show shoudl work just fine.

I did realize, since you're only dealing with a single domain, you could stick with only DL groups, or only GG groups.  There is not really a need for both.  I believe a good majority of my clients using a single domain are using only GG groups.  Assign NTFS perms to the GG and then place the required users in those groups.
FLPeopleAuthor Commented:
Since we are fairly large we are going to stay with our layout.  We've acquired one company in the last year and who knows about the future.  We'd like to keep it easier if we ever need to cross that bridge.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.