Solved

File server / best practice users permission

Posted on 2014-04-09
2
396 Views
Last Modified: 2014-04-13
Hi,

I was just wandering what is the best practice to manage security in a windows server environment?

Please find an example below of what I mean:

Directory name: Test
Sub-directory: topics

Assume that test is a top-directory with the following permissions:
Domain admins = Full
Domain users = Change

Until now it all ok.
Now i want the 'topics' directory to be denied for Domain users, but accessible for Domain admins.

Issue is that if a user is part of Domain Users & domain admins, access to that directory will be denied.
so...

Is it better to create Groups & manage security from Groups rather than the default Domain users?

Thanks
0
Comment
Question by:defrey
2 Comments
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 250 total points
ID: 39990745
First, you DO NOT want to explicitly DENY anything except in RARE circumstances.  Simply removing Domain Users from the folder have the DENY effect.  When you explicitly deny, you deny EVERYONE in the group.

Best practice is to AVOID creating special folders within folders.  Create a Topics Group and assign permissions to that group - when you need to add or remove someone to access that folder, you simply add or remove them from the group.

Example:
D:\Groups - NOT SHARED
D:\Groups\HumanResources - SHARED - Group "Human Resources" has change access
D:\Groups\Accounting - SHARED - Group "Accounting" has change access
D:\Groups\Billing - SHARED - Group "Billing" Has change access, "Accounting" has Read-Only (maybe Accounting needs to see billing)
etc.
0
 
LVL 9

Assisted Solution

by:rfportilla
rfportilla earned 250 total points
ID: 39990764
NTFS permissions are additive.  Start with a folder with the least permissions (only admins).  Then add access to subfolders where needed.  If you have to take away permissions, you can turn off inheritance, and create a custom permission set for that folder.  However, this is not generally best practice.  

Yes, groups are highly recommended.  Group people based on something like job role or access role.  For instance, the accounting department could go into a group called accounting and that group could have access to folders like AccountsReceivable, AccountsPayable, Billing, etc.  

You'll get the hang of it.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Written by Glen Knight (demazter) as part of a series of how-to articles. Introduction One of the biggest consumers of disk space with Small Business Server 2008(SBS) is Windows Server Update Services, more affectionately known as WSUS. For t…
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now