Microsoft NTFS permissions
Posted on 2009-04-13
I know there are similar posts and I've read through a bunch but didn't find exactly what I was looking for.
We are going through a Novell to Microsoft conversion and we are beginning the file server phase. I think I have a good handle on this but I want to be sure, I don't want to restructure again in a year. During this phase we are cleaning up and reconfiguring our folder structure. We are also looking to implement DFS for replication. I'll do my best to explain what we are looking to do.
This will be a Single Domain with Multiple locations.
Being a new structure my boss wants a top level folder to contain everything for this site and then breaking down more granular as it goes. This is where I am getting a bit lost as I drill down the structure. I dont ever want to leave ADUC to do any managing.
Following is and example of the structure with the groups and permissions. *note* The President, VP, Cabinet, Congress, and shared folders are not inheriting from the parent.
D:\Shared <-----This is my shared folder
-oursite - has oursite-r and oursite-rw DL's
-President oursite_president-r and oursite_president-rw DL's
-Vice President oursite_vicepresident-r and oursite_vicepresident-rw DL's
-Cabinet oursite_cabinet-r and oursite_cabinet -rw DL's
-Congress oursite_Congresst-r and oursite_Congress -rw DL's
-Senate oursite_congress_Senate-r and rw DLs
- House oursite_congress_Senate-r and rw DLs
-Shared oursite_shared-r and oursite_shared-rw DL's
Starting from top down we want the top groups to have RW permissions for all the lower directories. Exp. President has rw to their folder, VP, Cabinet, Congress, and Shared. The VP cannot access the President but has RW to cabinet and congress for their areas and R to the rest of the areas, exept shared. Also within Congress we want the Senate to be able to have RW to their folder but only read to Congress, and vice versa.
I have created the following global groups: President, VP-stuff, VP-other stuff, Cabinet_junk, Cabinet_junk2, Cabinet_things, Cabinet_things2, Senate, House, Shared_item1, Shared_item2, Shared_Metrics.
The GG called President should be easiest, member of the RW DL groups VP, Cabinet, Congress, etc. For the VPs this is what I was thinking.
Have a GG called site_all, all members of the site are in this group. This GG is a member of the DL_oursite-r group.
GG_VP_stuff is a member of DL_VP-r. Then it is a member of DL_VP_stuff-rw, DL_VP_otherstuff-r,
(access to congress) GG_VP_stuff is a member of DL_Congress-r, DL_Congress_Senate-r, DL_Congress_House-rw
So now for my questions.
1.) Is this the best method or is there something I should change.
2.) I think I would always want to create at least 2 DL groups for every top level resource, one for R and one for RW. I dont want to have to touch NTFS settings again. Would this be a good strategy?
3.) This question is at the shared folders&I will be allowing Domain users Read only access to this folder via DL_oursite-r group then then adding domain users to the DL_oursite_shared-r group.
If I create a folder called metrics that people need both r and rw access to it. Should I create 2 GG to go along with the DLs. The groups would be named: DL_oursite_shared_metrics-r, GG_oursite_shared_metrics-r, then rw for each. The GG would be nested in the DL and the people would be assigned appropriately?
Most shared folders will be RW so I would imagine Ill just Create one global group at that time then add a R group if needed.
I hope I was clear enough without being to confusing.