Solved

File server / best practice users permission

Posted on 2014-04-09
2
401 Views
Last Modified: 2014-04-13
Hi,

I was just wandering what is the best practice to manage security in a windows server environment?

Please find an example below of what I mean:

Directory name: Test
Sub-directory: topics

Assume that test is a top-directory with the following permissions:
Domain admins = Full
Domain users = Change

Until now it all ok.
Now i want the 'topics' directory to be denied for Domain users, but accessible for Domain admins.

Issue is that if a user is part of Domain Users & domain admins, access to that directory will be denied.
so...

Is it better to create Groups & manage security from Groups rather than the default Domain users?

Thanks
0
Comment
Question by:defrey
2 Comments
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 250 total points
ID: 39990745
First, you DO NOT want to explicitly DENY anything except in RARE circumstances.  Simply removing Domain Users from the folder have the DENY effect.  When you explicitly deny, you deny EVERYONE in the group.

Best practice is to AVOID creating special folders within folders.  Create a Topics Group and assign permissions to that group - when you need to add or remove someone to access that folder, you simply add or remove them from the group.

Example:
D:\Groups - NOT SHARED
D:\Groups\HumanResources - SHARED - Group "Human Resources" has change access
D:\Groups\Accounting - SHARED - Group "Accounting" has change access
D:\Groups\Billing - SHARED - Group "Billing" Has change access, "Accounting" has Read-Only (maybe Accounting needs to see billing)
etc.
0
 
LVL 9

Assisted Solution

by:rfportilla
rfportilla earned 250 total points
ID: 39990764
NTFS permissions are additive.  Start with a folder with the least permissions (only admins).  Then add access to subfolders where needed.  If you have to take away permissions, you can turn off inheritance, and create a custom permission set for that folder.  However, this is not generally best practice.  

Yes, groups are highly recommended.  Group people based on something like job role or access role.  For instance, the accounting department could go into a group called accounting and that group could have access to folders like AccountsReceivable, AccountsPayable, Billing, etc.  

You'll get the hang of it.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In the event you manage a Small Business Server 2003, and you are audited for PCI compliance, there are several changes you must make in order to pass the audit. I can take no credit for discovering any of these fixes or workarounds, but there is no…
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Small Business Server 2011. NOTE: This guide has been written using the preview version of SBS2011 therefore some of the screens may …
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now