Solved

File server / best practice users permission

Posted on 2014-04-09
2
404 Views
Last Modified: 2014-04-13
Hi,

I was just wandering what is the best practice to manage security in a windows server environment?

Please find an example below of what I mean:

Directory name: Test
Sub-directory: topics

Assume that test is a top-directory with the following permissions:
Domain admins = Full
Domain users = Change

Until now it all ok.
Now i want the 'topics' directory to be denied for Domain users, but accessible for Domain admins.

Issue is that if a user is part of Domain Users & domain admins, access to that directory will be denied.
so...

Is it better to create Groups & manage security from Groups rather than the default Domain users?

Thanks
0
Comment
Question by:defrey
2 Comments
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 250 total points
ID: 39990745
First, you DO NOT want to explicitly DENY anything except in RARE circumstances.  Simply removing Domain Users from the folder have the DENY effect.  When you explicitly deny, you deny EVERYONE in the group.

Best practice is to AVOID creating special folders within folders.  Create a Topics Group and assign permissions to that group - when you need to add or remove someone to access that folder, you simply add or remove them from the group.

Example:
D:\Groups - NOT SHARED
D:\Groups\HumanResources - SHARED - Group "Human Resources" has change access
D:\Groups\Accounting - SHARED - Group "Accounting" has change access
D:\Groups\Billing - SHARED - Group "Billing" Has change access, "Accounting" has Read-Only (maybe Accounting needs to see billing)
etc.
0
 
LVL 9

Assisted Solution

by:rfportilla
rfportilla earned 250 total points
ID: 39990764
NTFS permissions are additive.  Start with a folder with the least permissions (only admins).  Then add access to subfolders where needed.  If you have to take away permissions, you can turn off inheritance, and create a custom permission set for that folder.  However, this is not generally best practice.  

Yes, groups are highly recommended.  Group people based on something like job role or access role.  For instance, the accounting department could go into a group called accounting and that group could have access to folders like AccountsReceivable, AccountsPayable, Billing, etc.  

You'll get the hang of it.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The SBS 2011 release date (RTM) is supposed to be around Christmas, 2011.  This article is a compilation of my notes -- things I have learned first hand.  The items are in a rather random order, but I think this list covers most of what is new and d…
Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question