Solved

Best way to configure NTFS Permissions for our requirements?

Posted on 2010-08-17
9
395 Views
Last Modified: 2012-05-10
Hello,

I am looking for some advice for the best way to configure the NTFS permissions that we require on our T drive on our network.  Server is running windows 2003 enterprise edition.

We have the following folder structure.

T:\ - contains all the client folders

For Example:

T:\client1
T:\client2
T:\client3
T:\client4
etc.


Each client folder has up to 6 subfolders for example:

T:\client1\Audit and Accounts
T:\client1\Correspondence
T:\client1\Permanent
T:\client2\Audit and Accounts
T:\client2\Correspondence
T:\client2\Permanent
etc.

We currently have it setup so that domain admins and power users have full control over all client folders and subfolders & files.  We then have "Domain Users" with Modify NTFS permissions on all the folders.  

The down side to this is that users seem to be accidentally moving the key folder structure.  For example a user might accidentally drag client1 into the client2 folder by mistake.  Or move Permanent into Correspondence by mistake.

Ideally what we need is the following:

T:\
Domain Admins / Power Users Full Control to add new client folders or ammend different ones.  Domain Users Read Only.


T:\client1
T:\client2
etc.
Domain Admins / Power Users Full Control.  Domain Users Read Only - so they cant move the folders by mistake.


T:\client1\Audit and Accounts
T:\client1\Correspondence
T:\client1\Permanent
Domain Admins / Power Users Full Control.  Domain Users Read Only.


T:\client1\Audit and Accounts\*.*
Domain Users need read/write/modify here so that they can create their own files and folders within a client area.
Domain Admins / Power Users Full Control.

Is there an easy way to set these permissions up with inheritence so once we configure the permissions for a client folder that is done without giving users the ability to move folders they shouldnt be moving?

Other consideration is what happens when a power user creates a new client folder and adds the subfolders.  Would we need to run a script to reapply permissions to the client folders and the subfolders?

Thanks

0
Comment
Question by:cloughs
9 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33454165
Set at the top read access, and on lower level set modify
0
 
LVL 1

Author Comment

by:cloughs
ID: 33454267
If you set modify on the client sub folders then users can still move the subfolders...
0
 
LVL 9

Expert Comment

by:vsg375
ID: 33454301
Hi,

Your structure looks fine, but I see one small problem.

As long as Domain Users have modify rights on T:\Client1\Audits and accounts\ they can't have read only at the same time. To make things easier, here's how I would proceed :

- add one level like T:\Client1\Audits and accounts\Data

- position ACLs as follows :

T : Domain admins / power users : Full control. This folder, subfolders and files (inherited on whole tree)

T:\Client1 : Nothing to add for DA / PU (inherited). Add Domain Users : read only. This folder only (not propagated)

T:\Client1\Audits and Accounts : Nothing to add for DA / PU (inherited). Add Add Domain Users : read only. This folder only (not propagated).

T:\Client1\Audits and Accounts\Data : Nothing to add for DA / PU (inherited). Add Domain Users : Modify. This folder, subfolders and files (inherited on rest of tree).

Hope this helps.
0
 
LVL 1

Author Comment

by:cloughs
ID: 33454337
That sounds like one option, only problem being creating the sub folder within each clients subfolder.  There are thousands of client folders so that would be quite a big task to do.

I wonder why Microsoft didnt make a Move permission that was easy to allocate to users/groups...?

0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 3

Accepted Solution

by:
robertodeacruz earned 500 total points
ID: 33454449
T: \
Domain Users - Read - ok

T: \ client1
T: \ client2
Domain Users - Read

If you set up so a customer enters the folder of another client. This may be undesirable. Here it is best to remove the Domain Users group and add the account of each user's own folder with permission to read from here down.

But if a client accesses the folder of another is not a problem, you can leave as is.

T: \ client1 \ Audit and Accounts
T: \ client1 \ Correspondence
T: \ client1 \ Permanent

Put in those folders the user account with Modify permission.

Here, you have to have to go in Security, Advanced, Permissions tab, click the user, the Edit button and select Subfolders and files only.

With this, the user reads, writes, deletes, creates, only moving objects within a folder, just the way you want.

If you want to do it all through scripts, take a studied cacls command in Windows.
0
 
LVL 9

Expert Comment

by:vsg375
ID: 33454858
As regards to bulk adding the "data" directory, if your whole structure is as shown in your example, here's what you can do :

- create a text file containing your client numbers (only the number, 1 to n)
- name your file dirs.txt

create a .bat file with the following command :

for /F %A IN (dirs.txt) do md Client%A\"Audits and Accounts\data" & md Client%A\"Correspondence\data" & md Client%A\"Permanent\data"

Save this file at root level (on T:)

Execute to bulk create the dir in your structure. I tested it successfully on a sample tree but I still suggest you start by putting only 2 numbers in your dirs.txt :o)

Then you can continue automating using xcacls as roberto suggested.

The advantage is that it will be easier to simply add simple permissions rather than modify effective permissions.

0
 
LVL 1

Author Comment

by:cloughs
ID: 33455941
Thanks for your help everyone going to give it a try this evening :)
0
 
LVL 6

Expert Comment

by:Flipp
ID: 33461636
Another suggestion to compliment all suggestions above, is to create new AD Security Groups for each level you are applying change.

Being able to manage accessibility via AD Users & Computers far out weighs the effort to setup the groups. You can then nest and control from any PC using MMC.

If you apply directly to security, how do you truly know who has what rights? Trust me that the above will save you a motza amount of time in the long run :-)
0
 
LVL 1

Author Comment

by:cloughs
ID: 33463633
Good plan about the AD Groups that will shorten the job considerably.  Just looking into xcacls.vbs which seems quite powerful
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now