NTFS permissions on file server - simpler setup

This is a question on how to correctly setup our NTFS permissions on our Srv2008 R2 file server:

Our file server, where our users get their network drive from, has 15 folders on the root of the network drive.

Some of these folders have the need for a complex NTFS setup - look at the attached picture before you read further.

NTFS permissions
I was thinking of removing the "Include inheritable permissions from objects parent" from all the folders and sub(sub)folders that need their own set of permissions. And then setup a new security group in AD for each folder and subfolder - each folder would then need two groups in AD - one for full access and one for read only access.

These security groups would then be organized within an OU.

This is what I have come up with so far - but it seems somewhat messy...

Any help would be appreciated - Thanks!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian PiercePhotographerCommented:
>> These security groups would then be organized within an OU <<

While you can put security groups in OUs remember that GPOs are not applied to security groups based on their OU membership.
You can setup your permissions that way; I see no reason why not. A couple tips, though: name your security groups in a cohesive manner -- for example, ACL_Accounting_Modify tells me that "Accounting" has an access control list attached to an object and they have modify access. Secondly, consider giving your full access users modify instead -- the big difference is that full access rights allow permission changes, whereas modify does not.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

I think it world be better to create OU's first and the some Groups for which you wish the Allow and Deny permissions.Further you may apply GPO's to the OU's with Allow and Deny permissions.Using GPO's will be a good option.

Hope this helps !!!
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

cybergenieAuthor Commented:
hmm qurdeep1302, your post confuses me - just to clarify:

When I mentioned OU, it was only for organizing - not to use with Group Policy. (We have other OU's for that)
I would ofcourse make the NTFS permissions on each folder.

That is; I would actually also like to make a group for each root folder on the shared drive.
This could be usefull for when users fall out of the category 'Accounting/Sales/Reception/etc'.
cybergenieAuthor Commented:
Another problem that comes to mind.

If users move folders that have other NTFS permissions to these folders, then the folders original NTFS permissions will follow.

This could become a problem - are there any best practices for this?
cybergenieAuthor Commented:
Just checked and it seems that if the checkbox for "Include inheritable permissions from objects parent" is cleared, then it is not a problem for this folder and all subfolders...
Hi Cybergenie.

I understand the issue now,sorry for the confusion.
Yes,the possible solution is  to disable "Include inheritable permissions from objects parent"  it should work..Good Luck !!
If user drag files/folders from one folder to another, the original permissions are retained. There is no great solution for this. Setting or clearing the NTFS inheritance doesn't make a difference. The most reliable option that I know is to keep the different folders on different volumes. When a file is moved from volume to volume, it is actually copied and gets new NTFS security based upon the new parent folder. Moving on the same volume just retains the NTFS permissions. My user directories are on a different volume from my departmental/shared directories, and that seems to do the trick in my environment, because I haven't had to manually fix files in years. I guess they don't move files among departments. I tie all shares together with DFS namespace, which I recommend that you do anyway.

Other options might include Sharepoint or a non-Windows based NAS filer.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.