Windows Server Permissions - Group vs. Individual

I am having a real problem with going to a totally group based permission structure. All folder permissions had been assigned to individuals only. I started replacing them by putting the relevant users into groups - but I am finding that I am going to have more groups than users in order to give everyone the permissions they need.

We only have 35 users, but it seems that I will end up with 70 groups. It almost seems it is going to be much harder to assign group permissions than just adding the individuals where I can instantly see their permissions than having to remember everyone in each group. But, i see and have benefited with the group structure by just adding a person to a group and they then have permissions to multiple folders instantly. But, then again I am constantly getting hit where someone needs permission to a folder, but they don't need to belong to the assigned group, so I sometimes have to make a new group up for a single individual or maybe just two users.

I have it set where the domain\administrator is the owner of all folders and no one gets full control, but we have so many subfolders that it is hard to have one set of top folder level groups/permissions that carry through to all subfolders.

Is there any documentation on how to effectively restructure a sprawling file system structure?

Another problem I have is with assigning Read and Write access, but not modify in that the newly created folders can't be renamed. You can create a folder, but not change its name from New Folder. And, if you add a file to an existing folder, it creates 2 tmp txt files for every 1 file saved. Do I have to do special permissions through the advanced section in all of these Non-modify situations. I don't understand the Write function since it seems so limited.
Who is Participating?
MaheshConnect With a Mentor ArchitectCommented:
The normal best practises for Shared folder permissions:

1st of all check ownership of root folder and subfolder and if administrators do not have ownership from top to bottom in hierarchy, just take ownership of root folder and all sub folders and files from advanced permissions tab of root folder with replace owner on sub folders selected
On shared tab remove everyone group
On shared tab give authenticated Users change permissions and administrators full control permissions
On security tab, remove everyone, Creator owner group and also remove full control permissions from all other groups except administrators and system account.
Also provide list folder contents permissions to authenticated users
You may require to disable permissions inheritance on root folder.

If you have multiple sub folders with specific users \ group having access permissions to specific folders, then from advanced properties of root folder, ensure that authenticated users permissions scope is limited to This folder only and then provide individual groups \ specific groups modify permissions on respective sub folders so that they can access only those folders and files for which they have got modify access.
This will prevent changing files and folders ownership and access issues. The hole structure ownership remains with administrators group only.

Ned RamsayConnect With a Mentor Network Operations ManagerCommented:
You dont have to use groups if you are uncomfortable with it.
It makes administering a larger domain more cumbersome but it is ultimately the same if you manage the security side properly.

I always start with one shared folder then subfolders with ever more restricting permissions. If you are using server 2008 you can actually hide files and folders people dont have access to so they dont see all the multitude of shares.

So within the Shared folder an IT person may see everything but an HR person will only see the HR folder. Within these folders you can create private folders for individuals if you like or folders that span HR and IT.

But with 35 users, and no sudden need for growth it is not necessary, but good practice.
grgarAuthor Commented:
Actually, I am comfortable with the groups and I really like them, especially when removing one person when they leave, they are instantly removed from all the folders of their group and no S-1-x-x-x's left behind. And, again, the benefit of adding one to a group and having them gain permissions to many folders. I guess I really need to create the extra groups and just keep of file listing all the different combinations of users per group as a reference.

we really only have 4 groups Research, Rate Setting, Audit and Compliance, and Legal, the HR is pretty easy to control- but there is so much cross referencing of the other four and there are 100's of different top level folders and thousands of sub folders.

Any ideas on why Write access is so limited? Is that where I will have to do Special Permissions and grant Create folder, but not Delete, etc.?
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Ned RamsayNetwork Operations ManagerCommented:
Those file permissions seem strange, especially the creating of temp files. Typically when you open a word document it creates those tmp files while it is open, then removes them when its complete.

I assume SYSTEM has full control over these folders?
grgarAuthor Commented:
Now this is where I may have made a big mistake. Some of the Shares had everyone and everything listed with permissions in the ACL and I removed all of them except the domain\administrator account which is the only owner and has full control of all folders. I also kept Domain Admins with full control. I then added the entire staff as a single group, at the top level, with "Read, Read and Execute, List Folder Contents, and added Write" to the Security permissions. The Share permissions are Read and Change. And, that is where the Write will allow a New Folder to be created, but not named. And, those tmp .txt files to not dissapear unless I go and delete them while logged in as Administrator.

In another Users Share, I only gave the Staff "List Folder Contents" in order to be able to navigate down and access their particular folder, without being able to read anyone elses. And here and the above mentioned Share, Read Only works fine - it is just that I can't assign proper Write permissions and therefore have to grant "Modify" in order for them to be able to create a folder or even just save a file to another folder. It seems I need to go back to the beginning and start all over with my Sharing and Security Permissions knowledge.
grgarAuthor Commented:
I found an article with other links for Permissions Best Practices

I see I messed up removing the System permissions. Can I just add it back okay? I don't understand the Local Administrators group while we only use domain accounts and that damn Everyone group always confused and scared me. I have more reading to do and if anyone has any other good links like this one, please share.
Ned RamsayConnect With a Mentor Network Operations ManagerCommented:
Its a tough learning curve buddy, don't worry!

Everyone should be used on the Shares.. e.g. Share with EVERYONE full control, then use the Security NTFS permissions to filter down from there.

SYSTEM allows the server and windows domain components to run, manipulate those folders.
Typical permissions for my shares are:
SYSTEM - Full Control
Local-Admin - Full Control
Domain Admin(or admins) - Full Control
Security Group (HR/IT etc) - Read/Write/List (you said you didn't want them to have modify).

Make sure to propagate those permissions down to the folders below them if you need to.

The everyone group shouldnt be used in NTFS permissions, only in the sharing tab, the sharing tab should be Everyone - Full Control
If you want to rename \ delete folders, you must have to provide Modify NTFS permissions, otherwise you cannot rename \ move files, folders.

grgarAuthor Commented:
Nedramsay, thanks for the info. and I meant to thank you sooner for the hiding of folders in 2008. We are upgrading to that soon, thus my reason for trying to clean up our permission structure. I added System back with Full Control, and didn't have any snafu's in between. I am still working out a few more issues and report back here and give you the credit necessary, I just want to leave this open a little longer while I work through that.

Mahesh, thanks, too. Yes, I have seen that and will just have to work out my group structure better to have separate Read and Modify groups.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.