Windows Shares - Share Level versus Security Level Permissions

I currently have a server that I manage - Windows Server 2008 R2 Standard.  It was setup by a former administrator.  There are top level shares with sub folders and this is a quick example of what we have:

Share:
COMPANY - Everyone has full rights

Folders:
COMPANY\Accounting - Accounting Users and Accounting Managers have full access
COMPANY\Maintenance - Maintenance Users and Maintenance Managers have full access

Sub-Folders:
COMPANY\Accounting\Managers - Accounting Users are NOT ALLOWED any access, Accounting Managers are allowed FULL access
COMPANY\Maintenance\Managers - Maintenance Users are NOT ALLOWED any access, Accounting Managers are allowed FULL access

This is the way the system has been configured.  It uses the User Groups to manage access to folders and sub-folders.  I have run into some issues when a folder gets moved or changed and then I need to reconfigure the permissions on all the folders and sub-folders.  I also need to remove the inherited permissions to make sure things work as they are configured.  This appears to be a very tedious way of doing things and not very efficient with time.

I wanted to get some ideas of a better way to manage a situation like this.  The managers love to have their folder inside of the departments main folder and only the manager gets access.  

Is there maybe some software packages that will help you manage folders and permissions in a better fashion?  Is there another method of configuring things to make this micro-management of the sub-folders on a server a less tedious process?  It doesn't need to be changed often but when it does, it takes a while to find out exactly what needs to be changed to get folders to show up and not show up for the appropriate people.

Thanks in advance for any advice on this situation.  I am building up a new server and they want it structured this way but I want to find a more efficient way of doing so.
alatham23Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike RoeCommented:
You could use Robocopy from microsoft and be able to move permissions with the folders.

Here is a great read about setting up groups a specific way
http://technet.microsoft.com/en-us/library/bb742592.aspx
0
alatham23Author Commented:
Actually, I got confusing at the end I guess - sorry about that.  I am building up a new server in a different environment and they are wanting the same type of configuration.  That is the crossroads I am at.  I need to get this setup and don't know if there is a better direction or if I need to go the same pathway.

Do I spend all this time to configure all the folders, sub-folders and all the permissions for each on and address issues as they come along?  

Is there a better way to build a better security protocol into place at the start so I don't have to micro-manage the files and permissions as much?
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
Best practice in my opinion is to avoid altering permissions on sub folders.

What I would do in your position is:

X:\Shared Folders\Accounting [share: Accounting] Accounting Users and Accounting Managers have full access
X:\Shared Folders\Maintenance [share: Maintenance] Maintenance Users and Maintenance Managers have full access

X:\Shared Folders\Management\Accounting [share: AcctMgmt] Accounting Users are NOT ALLOWED any access, Accounting Managers are allowed FULL access
X:\Shared Folders\Management\Maintenance [share: MaintMgmt] Maintenance Users are NOT ALLOWED any access, Accounting Managers are allowed FULL access

When permissions need to be adjusted, they don't have to be processed by potentially all folders.  

And strictly speaking, folder access should ALWAYS be controlled by groups.  Either create a new shared folder or a new shared group if a different subset of users needs access.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

alatham23Author Commented:
I am trying to fully understand your scheme.  

If I were to use this as my options:

X:\Shared Folders\Accounting [share: Accounting] Accounting Users and Accounting Managers have full access
X:\Shared Folders\Maintenance [share: Maintenance] Maintenance Users and Maintenance Managers have full access

X:\Shared Folders\Management\Accounting [share: AcctMgmt] Accounting Users are NOT ALLOWED any access, Accounting Managers are allowed FULL access
X:\Shared Folders\Management\Maintenance [share: MaintMgmt] Maintenance Users are NOT ALLOWED any access, Accounting Managers are allowed FULL access

I could theoretically use the same drive letter X for them all but that would not allow the Mangers of either to see the group's information.  

The managers need to be able to see both the generic view of their department folder and the managers version of their folder also.  This is the problem that I would like to find a simpler solution around but there may not be any other options.  I just wanted to find a simpler way to be able to manage this without micro-managing permissions per folder but there may not be a simpler solution.

Thanks for the insights though.
0
alatham23Author Commented:
I found a way to simplify this a bit.  I have created two groups - Accounting and Accounting-Managers.  The users are split up between the two groups with Accounting-Managers being a member of Accounting.

I first have to remove all of the "Include inheritable permissions from this object's parent" on all the top level folders.  I did an Add and just fixed it to what I wanted for permissions which is SYSTEM, Administrators, Accounting.  Then I did "Replace all child object permissions with inheritable permissions from this object" to fix all the security permissions on the sub-folders.  

Then I need to turn off the "Include inheritable permissions from this object's parent" on the child manager's folder that will be restricted.  Then on this folder, I can add in the permissions I wanted which are SYSTEM, Administrators, Accounting-Managers.  Then I did "Replace all child object permissions with inheritable permissions from this object" to fix all the security permissions on the sub-folders of the managers folder.

Then I logged off the users, and had them login to their system again.  After this, the Accounting users were able to see the top-level directories and were denied access to the manager-level folder.  The managers were able to see the top-level folder and all folders underneath including the manager-level folder.

Then the user could see it but got an error when attempting to view it.  Then I went to "Share and Storage Management (Local)" and updated the Share properties.  I noticed that "Access-based enumeration" was disabled so I clicked "Advanced" at the bottom and put a check-mark in for "Enable access-based enumeration" and this fixed the viewing of a folder that a user does not have permissions to.  Now, we I login as the user I cannot even see the manager's folder because I do not have access to it.

This has been the best way I have found to get around this problem so far.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
alatham23Author Commented:
There is no right solution as I had to create my own remedy for these questions.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Storage

From novice to tech pro — start learning today.