Solved

File server / best practice users permission

Posted on 2014-04-09
2
403 Views
Last Modified: 2014-04-13
Hi,

I was just wandering what is the best practice to manage security in a windows server environment?

Please find an example below of what I mean:

Directory name: Test
Sub-directory: topics

Assume that test is a top-directory with the following permissions:
Domain admins = Full
Domain users = Change

Until now it all ok.
Now i want the 'topics' directory to be denied for Domain users, but accessible for Domain admins.

Issue is that if a user is part of Domain Users & domain admins, access to that directory will be denied.
so...

Is it better to create Groups & manage security from Groups rather than the default Domain users?

Thanks
0
Comment
Question by:defrey
2 Comments
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 250 total points
ID: 39990745
First, you DO NOT want to explicitly DENY anything except in RARE circumstances.  Simply removing Domain Users from the folder have the DENY effect.  When you explicitly deny, you deny EVERYONE in the group.

Best practice is to AVOID creating special folders within folders.  Create a Topics Group and assign permissions to that group - when you need to add or remove someone to access that folder, you simply add or remove them from the group.

Example:
D:\Groups - NOT SHARED
D:\Groups\HumanResources - SHARED - Group "Human Resources" has change access
D:\Groups\Accounting - SHARED - Group "Accounting" has change access
D:\Groups\Billing - SHARED - Group "Billing" Has change access, "Accounting" has Read-Only (maybe Accounting needs to see billing)
etc.
0
 
LVL 9

Assisted Solution

by:rfportilla
rfportilla earned 250 total points
ID: 39990764
NTFS permissions are additive.  Start with a folder with the least permissions (only admins).  Then add access to subfolders where needed.  If you have to take away permissions, you can turn off inheritance, and create a custom permission set for that folder.  However, this is not generally best practice.  

Yes, groups are highly recommended.  Group people based on something like job role or access role.  For instance, the accounting department could go into a group called accounting and that group could have access to folders like AccountsReceivable, AccountsPayable, Billing, etc.  

You'll get the hang of it.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question