Share, Security, Permissions!

Hi folks,

AD 2008
1 File Server (2008 r2 FSRM)
Multiple Shares, e.g.

All these shares have security in such a way that only the matching Security Group can access.
So, for \\SERVER\Administration there are users in the security group in AD and that group is added to the share security and all works well. The drive is mapped on login perfectly.

The issue is this:

All Shares have the additional security attached which I beleive are defualt:
Administrator (SERVERNAME\Administrators)

However there is no domain admins attached to any of the folders, only the above. I know Domain Admins are attached to \\SERVERNAME\Administrators group but what if for any reason domain admins are removed. No domain admins can access the shares anymore.

Should I add domain admins to each of the shares (folder leve)..? If so, should I do it at folder level or at the root folder of \\SERVERNAME\Departments (administration, finance, hr, payroll) and add domain admins?

IF it even should be like that?
I mean domain admins should be able to access all departmens shares and all folders??
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

no domain admins are not allways able to access a folder. This makes the folder more difficult to read for the admins.

But if the  upper folder allows you to take ownership... You will be able to reset the owners.

What you can do is to prepare an empty group with adminusers for each folders with full control. In those groups you will be able to add somebody in case of needs.
dqnetAuthor Commented:
Yes, but there is only one admin on the network. Shouldn't it be the case where I apply domain admins to the root folder..?

I'm just being safe no?
What if for some reason we remove domain administrators ..servername/administrators group? Then its a disaster?

dqnetAuthor Commented:
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

dqnetAuthor Commented:
Changing the question slightly, basically, what is the correct way of doing this.
I always thought that domain admins should have control over all folders. I mean what happens if a local admin of the server logs in and removes domain admins from the local administrators group! Nobody can then access the department folder to make any significant changes unless you re-take owenership which can take hours on 52,000 files

should I give domain admins \\SERVERNAME\Departments...?  
(the departments folder contains folders such as finance, hr, procurement, etc. which are locked to those security groups in active directory)
ThinkPaperIT ConsultantCommented:
It all depends on the privacy/computer policies your company has. For the most part, Domain Admins should have complete access to all folders so that they can manage them as needed.

However, there are exceptions to this case. What if the information in these folders are sensitive (i.e. financial or contractual company stuff) that they do not want even Domain Admins to have access (only the Program Managment people would be able to see it). If that is the case, then the standard steps would be to leave Domain Admins out..
So if anything needed to be done to those folder, the Domain Admins can always retake ownership of the folder, but at least when this is done, there is an audit trail of who took ownership of the folders/files, which will allow the company to see who has access to the folder, and who made permissions changes to the folder.

So for the most part, it is easier if Domain Admins should have full access to the folders. This ensures that they do not run into any problems if they need to configure/change something.

How large are your shares? The major problem I see now, is trying to work backwards and reapplying the Domain Admin permissions. I would tread very carefully if you're planning on doing this, especially if the folder shares are huge as it could take a very long LONG time. You would also have to be very careful in NOT wiping out the previous set permissions.

The simplest thing you can do now is add Domain Admins at the ROOT folder level (and do not force inheritance/propagation down to the children as that could take FOREVER or wipe out existing permissions). This would at least ensure that any new folders that are created have Domain Admin with Full rights.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dqnetAuthor Commented:
Many thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.