Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Best way to configure NTFS Permissions for our requirements?

Posted on 2010-08-17
9
Medium Priority
?
403 Views
Last Modified: 2012-05-10
Hello,

I am looking for some advice for the best way to configure the NTFS permissions that we require on our T drive on our network.  Server is running windows 2003 enterprise edition.

We have the following folder structure.

T:\ - contains all the client folders

For Example:

T:\client1
T:\client2
T:\client3
T:\client4
etc.


Each client folder has up to 6 subfolders for example:

T:\client1\Audit and Accounts
T:\client1\Correspondence
T:\client1\Permanent
T:\client2\Audit and Accounts
T:\client2\Correspondence
T:\client2\Permanent
etc.

We currently have it setup so that domain admins and power users have full control over all client folders and subfolders & files.  We then have "Domain Users" with Modify NTFS permissions on all the folders.  

The down side to this is that users seem to be accidentally moving the key folder structure.  For example a user might accidentally drag client1 into the client2 folder by mistake.  Or move Permanent into Correspondence by mistake.

Ideally what we need is the following:

T:\
Domain Admins / Power Users Full Control to add new client folders or ammend different ones.  Domain Users Read Only.


T:\client1
T:\client2
etc.
Domain Admins / Power Users Full Control.  Domain Users Read Only - so they cant move the folders by mistake.


T:\client1\Audit and Accounts
T:\client1\Correspondence
T:\client1\Permanent
Domain Admins / Power Users Full Control.  Domain Users Read Only.


T:\client1\Audit and Accounts\*.*
Domain Users need read/write/modify here so that they can create their own files and folders within a client area.
Domain Admins / Power Users Full Control.

Is there an easy way to set these permissions up with inheritence so once we configure the permissions for a client folder that is done without giving users the ability to move folders they shouldnt be moving?

Other consideration is what happens when a power user creates a new client folder and adds the subfolders.  Would we need to run a script to reapply permissions to the client folders and the subfolders?

Thanks

0
Comment
Question by:cloughs
9 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33454165
Set at the top read access, and on lower level set modify
0
 
LVL 1

Author Comment

by:cloughs
ID: 33454267
If you set modify on the client sub folders then users can still move the subfolders...
0
 
LVL 9

Expert Comment

by:vsg375
ID: 33454301
Hi,

Your structure looks fine, but I see one small problem.

As long as Domain Users have modify rights on T:\Client1\Audits and accounts\ they can't have read only at the same time. To make things easier, here's how I would proceed :

- add one level like T:\Client1\Audits and accounts\Data

- position ACLs as follows :

T : Domain admins / power users : Full control. This folder, subfolders and files (inherited on whole tree)

T:\Client1 : Nothing to add for DA / PU (inherited). Add Domain Users : read only. This folder only (not propagated)

T:\Client1\Audits and Accounts : Nothing to add for DA / PU (inherited). Add Add Domain Users : read only. This folder only (not propagated).

T:\Client1\Audits and Accounts\Data : Nothing to add for DA / PU (inherited). Add Domain Users : Modify. This folder, subfolders and files (inherited on rest of tree).

Hope this helps.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:cloughs
ID: 33454337
That sounds like one option, only problem being creating the sub folder within each clients subfolder.  There are thousands of client folders so that would be quite a big task to do.

I wonder why Microsoft didnt make a Move permission that was easy to allocate to users/groups...?

0
 
LVL 3

Accepted Solution

by:
robertodeacruz earned 2000 total points
ID: 33454449
T: \
Domain Users - Read - ok

T: \ client1
T: \ client2
Domain Users - Read

If you set up so a customer enters the folder of another client. This may be undesirable. Here it is best to remove the Domain Users group and add the account of each user's own folder with permission to read from here down.

But if a client accesses the folder of another is not a problem, you can leave as is.

T: \ client1 \ Audit and Accounts
T: \ client1 \ Correspondence
T: \ client1 \ Permanent

Put in those folders the user account with Modify permission.

Here, you have to have to go in Security, Advanced, Permissions tab, click the user, the Edit button and select Subfolders and files only.

With this, the user reads, writes, deletes, creates, only moving objects within a folder, just the way you want.

If you want to do it all through scripts, take a studied cacls command in Windows.
0
 
LVL 9

Expert Comment

by:vsg375
ID: 33454858
As regards to bulk adding the "data" directory, if your whole structure is as shown in your example, here's what you can do :

- create a text file containing your client numbers (only the number, 1 to n)
- name your file dirs.txt

create a .bat file with the following command :

for /F %A IN (dirs.txt) do md Client%A\"Audits and Accounts\data" & md Client%A\"Correspondence\data" & md Client%A\"Permanent\data"

Save this file at root level (on T:)

Execute to bulk create the dir in your structure. I tested it successfully on a sample tree but I still suggest you start by putting only 2 numbers in your dirs.txt :o)

Then you can continue automating using xcacls as roberto suggested.

The advantage is that it will be easier to simply add simple permissions rather than modify effective permissions.

0
 
LVL 1

Author Comment

by:cloughs
ID: 33455941
Thanks for your help everyone going to give it a try this evening :)
0
 
LVL 6

Expert Comment

by:Flipp
ID: 33461636
Another suggestion to compliment all suggestions above, is to create new AD Security Groups for each level you are applying change.

Being able to manage accessibility via AD Users & Computers far out weighs the effort to setup the groups. You can then nest and control from any PC using MMC.

If you apply directly to security, how do you truly know who has what rights? Trust me that the above will save you a motza amount of time in the long run :-)
0
 
LVL 1

Author Comment

by:cloughs
ID: 33463633
Good plan about the AD Groups that will shorten the job considerably.  Just looking into xcacls.vbs which seems quite powerful
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Learn about cloud computing and its benefits for small business owners.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question