?
Solved

File server / best practice users permission

Posted on 2014-04-09
2
Medium Priority
?
407 Views
Last Modified: 2014-04-13
Hi,

I was just wandering what is the best practice to manage security in a windows server environment?

Please find an example below of what I mean:

Directory name: Test
Sub-directory: topics

Assume that test is a top-directory with the following permissions:
Domain admins = Full
Domain users = Change

Until now it all ok.
Now i want the 'topics' directory to be denied for Domain users, but accessible for Domain admins.

Issue is that if a user is part of Domain Users & domain admins, access to that directory will be denied.
so...

Is it better to create Groups & manage security from Groups rather than the default Domain users?

Thanks
0
Comment
Question by:defrey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 96

Accepted Solution

by:
Lee W, MVP earned 1000 total points
ID: 39990745
First, you DO NOT want to explicitly DENY anything except in RARE circumstances.  Simply removing Domain Users from the folder have the DENY effect.  When you explicitly deny, you deny EVERYONE in the group.

Best practice is to AVOID creating special folders within folders.  Create a Topics Group and assign permissions to that group - when you need to add or remove someone to access that folder, you simply add or remove them from the group.

Example:
D:\Groups - NOT SHARED
D:\Groups\HumanResources - SHARED - Group "Human Resources" has change access
D:\Groups\Accounting - SHARED - Group "Accounting" has change access
D:\Groups\Billing - SHARED - Group "Billing" Has change access, "Accounting" has Read-Only (maybe Accounting needs to see billing)
etc.
0
 
LVL 9

Assisted Solution

by:rfportilla
rfportilla earned 1000 total points
ID: 39990764
NTFS permissions are additive.  Start with a folder with the least permissions (only admins).  Then add access to subfolders where needed.  If you have to take away permissions, you can turn off inheritance, and create a custom permission set for that folder.  However, this is not generally best practice.  

Yes, groups are highly recommended.  Group people based on something like job role or access role.  For instance, the accounting department could go into a group called accounting and that group could have access to folders like AccountsReceivable, AccountsPayable, Billing, etc.  

You'll get the hang of it.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A lot of problems and solutions are available on the net for the error message "Source server does not meet minimum requirements for migration" while performing a migration from Small Business Server 2003 to SBS 2008. This error pops up just before …
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question