NTFS ACLs and file ownership transfer
Posted on 2010-08-20
I'm currently reading the Windows Administration Productivity Solutions for IT Professionals, which is a great guide on setting up Active Directory infrastructures, and designing a Role Based Access Control environment. (RBAC).
I currently have an infrastructure in place with about 3000 users and some 33000 students. I am taking on the challenge to revamp everything in there to comply with an RBAC system, rather than what I have inherited, which is really very rudimentary and insecure, and most of all, un-audit-able.
The concept of the RBAC seemed to make sense. in particular I have a question regarding an item:
The best practice is to create a shared folders for departments, and contrary to general practice, it is recommended that only EDIT permissions be given to the department security group role. (meaning, no delete), and then giving the OWNER CREATOR access to for deleting their own files.
I think this is a great system, that will avoid having people delete each other's files on purpose, or accidentally, while still allowing them to create and modify each other's files.
This is done by setting the ownership on the files and/or folders, and assigning the correct permissions.
Now my question:
Let's say John Doe used to work in Marketing, and had access to the marketing share, he created a bunch of files and folders of which he is now the owner, and the rest of the department can modify, but not delete his files.
Suddenly John Doe find a new job, and he's out. Now, I have a bunch of scattered files and folders with him as an owner over them, (or his now orphan SID as owner) Short of taking ownership of the parent folder, which would also mean taking ownership of other user's files in that department (which, of course, I wouldn't want to do) I don't really see an easy way to transfer over the ownership of John's files to the person replacing him within this model.
Is anyone out there using RBAC, and particularly this system of file ownership, and if so, how are you managing file ownership transfers upon employee arrival or departure.. ?
I love the system, but I want to try to think long term first, before implementing something that sounds like a great solution, and then end up being stuck with big caveats and management nightmares...
Looking forward to hearing your opinions.