Solved

Windows Server Permissions - Group vs. Individual

Posted on 2014-01-29
9
268 Views
Last Modified: 2014-10-14
I am having a real problem with going to a totally group based permission structure. All folder permissions had been assigned to individuals only. I started replacing them by putting the relevant users into groups - but I am finding that I am going to have more groups than users in order to give everyone the permissions they need.

We only have 35 users, but it seems that I will end up with 70 groups. It almost seems it is going to be much harder to assign group permissions than just adding the individuals where I can instantly see their permissions than having to remember everyone in each group. But, i see and have benefited with the group structure by just adding a person to a group and they then have permissions to multiple folders instantly. But, then again I am constantly getting hit where someone needs permission to a folder, but they don't need to belong to the assigned group, so I sometimes have to make a new group up for a single individual or maybe just two users.

I have it set where the domain\administrator is the owner of all folders and no one gets full control, but we have so many subfolders that it is hard to have one set of top folder level groups/permissions that carry through to all subfolders.

Is there any documentation on how to effectively restructure a sprawling file system structure?

Another problem I have is with assigning Read and Write access, but not modify in that the newly created folders can't be renamed. You can create a folder, but not change its name from New Folder. And, if you add a file to an existing folder, it creates 2 tmp txt files for every 1 file saved. Do I have to do special permissions through the advanced section in all of these Non-modify situations. I don't understand the Write function since it seems so limited.
0
Comment
Question by:grgar
  • 4
  • 3
  • 2
9 Comments
 
LVL 7

Assisted Solution

by:Ned Ramsay
Ned Ramsay earned 250 total points
Comment Utility
You dont have to use groups if you are uncomfortable with it.
It makes administering a larger domain more cumbersome but it is ultimately the same if you manage the security side properly.

I always start with one shared folder then subfolders with ever more restricting permissions. If you are using server 2008 you can actually hide files and folders people dont have access to so they dont see all the multitude of shares.

So within the Shared folder an IT person may see everything but an HR person will only see the HR folder. Within these folders you can create private folders for individuals if you like or folders that span HR and IT.

But with 35 users, and no sudden need for growth it is not necessary, but good practice.
0
 

Author Comment

by:grgar
Comment Utility
Actually, I am comfortable with the groups and I really like them, especially when removing one person when they leave, they are instantly removed from all the folders of their group and no S-1-x-x-x's left behind. And, again, the benefit of adding one to a group and having them gain permissions to many folders. I guess I really need to create the extra groups and just keep of file listing all the different combinations of users per group as a reference.

we really only have 4 groups Research, Rate Setting, Audit and Compliance, and Legal, the HR is pretty easy to control- but there is so much cross referencing of the other four and there are 100's of different top level folders and thousands of sub folders.

Any ideas on why Write access is so limited? Is that where I will have to do Special Permissions and grant Create folder, but not Delete, etc.?
0
 
LVL 7

Expert Comment

by:Ned Ramsay
Comment Utility
Those file permissions seem strange, especially the creating of temp files. Typically when you open a word document it creates those tmp files while it is open, then removes them when its complete.

I assume SYSTEM has full control over these folders?
0
 

Author Comment

by:grgar
Comment Utility
Now this is where I may have made a big mistake. Some of the Shares had everyone and everything listed with permissions in the ACL and I removed all of them except the domain\administrator account which is the only owner and has full control of all folders. I also kept Domain Admins with full control. I then added the entire staff as a single group, at the top level, with "Read, Read and Execute, List Folder Contents, and added Write" to the Security permissions. The Share permissions are Read and Change. And, that is where the Write will allow a New Folder to be created, but not named. And, those tmp .txt files to not dissapear unless I go and delete them while logged in as Administrator.

In another Users Share, I only gave the Staff "List Folder Contents" in order to be able to navigate down and access their particular folder, without being able to read anyone elses. And here and the above mentioned Share, Read Only works fine - it is just that I can't assign proper Write permissions and therefore have to grant "Modify" in order for them to be able to create a folder or even just save a file to another folder. It seems I need to go back to the beginning and start all over with my Sharing and Security Permissions knowledge.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:grgar
Comment Utility
I found an article with other links for Permissions Best Practices

I see I messed up removing the System permissions. Can I just add it back okay? I don't understand the Local Administrators group while we only use domain accounts and that damn Everyone group always confused and scared me. I have more reading to do and if anyone has any other good links like this one, please share.
0
 
LVL 7

Assisted Solution

by:Ned Ramsay
Ned Ramsay earned 250 total points
Comment Utility
Its a tough learning curve buddy, don't worry!

Everyone should be used on the Shares.. e.g. Share with EVERYONE full control, then use the Security NTFS permissions to filter down from there.

SYSTEM allows the server and windows domain components to run, manipulate those folders.
Typical permissions for my shares are:
SYSTEM - Full Control
Local-Admin - Full Control
Domain Admin(or admins) - Full Control
Security Group (HR/IT etc) - Read/Write/List (you said you didn't want them to have modify).

Make sure to propagate those permissions down to the folders below them if you need to.

The everyone group shouldnt be used in NTFS permissions, only in the sharing tab, the sharing tab should be Everyone - Full Control
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
If you want to rename \ delete folders, you must have to provide Modify NTFS permissions, otherwise you cannot rename \ move files, folders.

Mahesh
0
 

Author Comment

by:grgar
Comment Utility
Nedramsay, thanks for the info. and I meant to thank you sooner for the hiding of folders in 2008. We are upgrading to that soon, thus my reason for trying to clean up our permission structure. I added System back with Full Control, and didn't have any snafu's in between. I am still working out a few more issues and report back here and give you the credit necessary, I just want to leave this open a little longer while I work through that.

Mahesh, thanks, too. Yes, I have seen that and will just have to work out my group structure better to have separate Read and Modify groups.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 250 total points
Comment Utility
The normal best practises for Shared folder permissions:

1st of all check ownership of root folder and subfolder and if administrators do not have ownership from top to bottom in hierarchy, just take ownership of root folder and all sub folders and files from advanced permissions tab of root folder with replace owner on sub folders selected
On shared tab remove everyone group
On shared tab give authenticated Users change permissions and administrators full control permissions
On security tab, remove everyone, Creator owner group and also remove full control permissions from all other groups except administrators and system account.
Also provide list folder contents permissions to authenticated users
You may require to disable permissions inheritance on root folder.

If you have multiple sub folders with specific users \ group having access permissions to specific folders, then from advanced properties of root folder, ensure that authenticated users permissions scope is limited to This folder only and then provide individual groups \ specific groups modify permissions on respective sub folders so that they can access only those folders and files for which they have got modify access.
This will prevent changing files and folders ownership and access issues. The hole structure ownership remains with administrators group only.

Mahesh
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now