[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Microsoft NTFS permissions

Posted on 2009-04-13
4
Medium Priority
?
1,259 Views
Last Modified: 2012-09-23
I know there are similar posts and I've read through a bunch but didn't find exactly what I was looking for.  

We are going through a Novell to Microsoft conversion and we are beginning the file server phase.  I think I have a good handle on this but I want to be sure, I don't want to restructure again in a year.   During this phase we are cleaning up and reconfiguring our folder structure.  We are also looking to implement DFS for replication.  I'll do my best to explain what we are looking to do.

This will be a Single Domain with Multiple locations.

Being a new structure my boss wants a top level folder to contain everything for this site and then breaking down more granular as it goes.  This is where I am getting a bit lost as I drill down the structure.  I dont ever want to leave ADUC to do any managing.  

Following is and example of the structure with the groups and permissions.   *note* The President, VP, Cabinet, Congress, and shared folders are not inheriting from the parent.

D:\Shared                   <-----This is my shared folder
     -Sites                        
          -oursite                    - has oursite-r and oursite-rw DL's
               -President                oursite_president-r and oursite_president-rw      DL's
               -Vice President        oursite_vicepresident-r and oursite_vicepresident-rw      DL's
               -Cabinet                   oursite_cabinet-r and oursite_cabinet -rw   DL's
               -Congress               oursite_Congresst-r and oursite_Congress -rw   DL's
                        -Senate    oursite_congress_Senate-r and rw DLs
                        - House    oursite_congress_Senate-r and rw DLs
                        -anotherfolder      
                        -morefolders            
                -Shared                 oursite_shared-r and oursite_shared-rw DL's

         -othersite
         -othersite2

Starting from top down we want the top groups to have RW permissions for all the lower directories.  Exp.  President has rw to their folder, VP, Cabinet, Congress, and Shared.  The VP cannot access the President but has RW to cabinet and congress for their areas and R to the rest of the areas, exept shared. Also within Congress we want the Senate to be able to have RW to their folder but only read to Congress, and vice versa.

I have created the following global groups: President, VP-stuff, VP-other stuff, Cabinet_junk, Cabinet_junk2, Cabinet_things, Cabinet_things2, Senate, House, Shared_item1, Shared_item2, Shared_Metrics.

The GG called President should be easiest, member of the RW DL groups VP, Cabinet, Congress, etc.  For the VPs this is what I was thinking.  
Have a GG called site_all, all members of the site are in this group.  This GG is a member of the DL_oursite-r group.  
GG_VP_stuff is a member of DL_VP-r.  Then it is a member of DL_VP_stuff-rw, DL_VP_otherstuff-r,
(access to congress) GG_VP_stuff is a member of DL_Congress-r, DL_Congress_Senate-r, DL_Congress_House-rw

So now for my questions.

1.)  Is this the best method or is there something I should change.  

2.)  I think I would always want to create at least 2 DL groups for every top level resource, one for R and one for RW.  I dont want to have to touch NTFS settings again.  Would this be a good strategy?  

3.) This question is at the shared folders&I will be allowing Domain users Read only access to this folder via DL_oursite-r group then then adding domain users to the DL_oursite_shared-r group.  

If I create a folder called metrics that people need both r and rw access to it.  Should I create 2 GG to go along with the DLs.  The groups would be named:  DL_oursite_shared_metrics-r, GG_oursite_shared_metrics-r, then rw for each.  The GG would be nested in the DL and the people would be assigned appropriately?  
Most shared folders will be RW so I would imagine Ill just Create one global group at that time then add a R group if needed.  



I hope I was clear enough without being to confusing.
0
Comment
Question by:FLPeople
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 1

Accepted Solution

by:
innovationsquared earned 2000 total points
ID: 24133112
1. Your structure looks fine.  You are following what I call folder oriented permissions, and I'm sure I'm not the first one to think of that.  We have several small clients that use this method, although in larger organizations we prefer to use a department oriented method.

2. With only two groups per resource, one read/write and one read only, yes I'd make them all ahead of time.

3. Not quite sure I understand the exact question here, but I'll give what I think is some clarification.  The D:\Shared and D:\Shared\Sites folders should have at least read only for all domain users so they can access the folders below.  The D:\Shared\Sites\Oursite folder looks right, you're granting R or RW access to users at Oursite, although at this level maybe only the read only group is needed, as you probably don't want users creating folder here anyway.  The D:\Shared\Sites\Oursite\Shared also looks fine, it should be treated just like the other resource level folders like President, Cabinet, etc.  Folders below D:\Shared\Sites\Oursite\Shared can be treated similarly with groups being defined as you stated.  I have not tried it, but placing the GG inside the DL should grant them the needed permissions to get to the D:\Shared\Sites\Oursite\Shared so they can access the folders below.

A suggestion, whatever you do, you should create some documentation detailing the groups and permissions created to reference later if needed.  No matter how well we think we designed it and how simple it is, we all forget what we did 2-3 years later when some executive wants to know who has access to what files.
0
 
LVL 2

Author Comment

by:FLPeople
ID: 24134161
I wrote up the questions in word and copied it over.  I should have previewed the post.  Question 3 is actually underneath, I was trying to lay the groundwork above.  
If I create a folder called metrics in D:\shared\sites\shared\   would it be good practice to create the following groups:  
DL_oursite_shared_metrics-r
DL_oursite_shared_metrics-rw
GG_oursite_shared_metrics-r
GG_oursite_shared_metrics-rw
Assign the DL's to the resource then put the R gg in the R dl and the RW gg in the RW DL?  I know that folder will need both read and read write access.   Or is there a better way to create the global groups?

As for most other folders that will be read write I think I will just create a Global Group for RW  and add a R GG if needed later.  

 I'd like to flatten the structure a little bit which would make the group names better but I want the group names to better reflect the resource so it makes sense when we are finding where a user has access.  Right now our Novell environment is a mess.

The reason for the hierachy is the top shared folder is our DFS target folder.  We have other namespace folders at that level, than at the site level is where all our sites will be, these folders will all be replicated.  Also we found  the access based enumeration does not work correctly unless the structure is at least a level below the target folder.




0
 
LVL 1

Expert Comment

by:innovationsquared
ID: 24134763
Everything you show shoudl work just fine.

I did realize, since you're only dealing with a single domain, you could stick with only DL groups, or only GG groups.  There is not really a need for both.  I believe a good majority of my clients using a single domain are using only GG groups.  Assign NTFS perms to the GG and then place the required users in those groups.
0
 
LVL 2

Author Comment

by:FLPeople
ID: 24140029
Since we are fairly large we are going to stay with our layout.  We've acquired one company in the last year and who knows about the future.  We'd like to keep it easier if we ever need to cross that bridge.

Thanks
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The way I use Experts Exchange to assist me in analyzing and diagnosing a problem is I first enter a Verbose Question at Experts Exchange like: Office 2007 will hang when opening and saving files I then launch WordPad (any text editor will do) an…
Many admins will agree: WSUS is is a nice invention but using it on the client side when updating a newly installed computer is still time consuming as you have to do several reboots and furthermore, the procedure of installing updates, rebooting an…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question