dqnet
asked on
Share, Security, Permissions!
Hi folks,
AD 2008
1 File Server (2008 r2 FSRM)
Multiple Shares, e.g.
\\SERVER\Finance
\\SERVER\General
\\SERVER\IT
\\SERVER\Administration
All these shares have security in such a way that only the matching Security Group can access.
So, for \\SERVER\Administration there are users in the security group in AD and that group is added to the share security and all works well. The drive is mapped on login perfectly.
The issue is this:
All Shares have the additional security attached which I beleive are defualt:
Administrator (SERVERNAME\Administrators )
However there is no domain admins attached to any of the folders, only the above. I know Domain Admins are attached to \\SERVERNAME\Administrator s group but what if for any reason domain admins are removed. No domain admins can access the shares anymore.
Should I add domain admins to each of the shares (folder leve)..? If so, should I do it at folder level or at the root folder of \\SERVERNAME\Departments (administration, finance, hr, payroll) and add domain admins?
IF it even should be like that?
I mean domain admins should be able to access all departmens shares and all folders??
AD 2008
1 File Server (2008 r2 FSRM)
Multiple Shares, e.g.
\\SERVER\Finance
\\SERVER\General
\\SERVER\IT
\\SERVER\Administration
All these shares have security in such a way that only the matching Security Group can access.
So, for \\SERVER\Administration there are users in the security group in AD and that group is added to the share security and all works well. The drive is mapped on login perfectly.
The issue is this:
All Shares have the additional security attached which I beleive are defualt:
Administrator (SERVERNAME\Administrators
However there is no domain admins attached to any of the folders, only the above. I know Domain Admins are attached to \\SERVERNAME\Administrator
Should I add domain admins to each of the shares (folder leve)..? If so, should I do it at folder level or at the root folder of \\SERVERNAME\Departments (administration, finance, hr, payroll) and add domain admins?
IF it even should be like that?
I mean domain admins should be able to access all departmens shares and all folders??
ASKER
Yes, but there is only one admin on the network. Shouldn't it be the case where I apply domain admins to the root folder..?
I'm just being safe no?
What if for some reason we remove domain administrators ..servername/administrator s group? Then its a disaster?
I'm just being safe no?
What if for some reason we remove domain administrators ..servername/administrator
ASKER
??
ASKER
Changing the question slightly, basically, what is the correct way of doing this.
I always thought that domain admins should have control over all folders. I mean what happens if a local admin of the server logs in and removes domain admins from the local administrators group! Nobody can then access the department folder to make any significant changes unless you re-take owenership which can take hours on 52,000 files
should I give domain admins \\SERVERNAME\Departments.. .?
(the departments folder contains folders such as finance, hr, procurement, etc. which are locked to those security groups in active directory)
I always thought that domain admins should have control over all folders. I mean what happens if a local admin of the server logs in and removes domain admins from the local administrators group! Nobody can then access the department folder to make any significant changes unless you re-take owenership which can take hours on 52,000 files
should I give domain admins \\SERVERNAME\Departments..
(the departments folder contains folders such as finance, hr, procurement, etc. which are locked to those security groups in active directory)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Many thanks!
But if the upper folder allows you to take ownership... You will be able to reset the owners.
What you can do is to prepare an empty group with adminusers for each folders with full control. In those groups you will be able to add somebody in case of needs.