NTFS Permissions - Best Practice when restructuring users/groups

Posted on 2014-09-02
Last Modified: 2014-09-02
I will be in the process of adding/changing rights for a large file share.

A few things I have noticed:
Inheritance blocked on several folders from the root.  (No particular pattern)
Several departments now interact so more single users from other department have been applied to folders and not always a group.
Some supervisors will be losing domain admin. rights.  (Given very early on.)
Users losing domain admin rights will have entire folder rights (department) in many places except HR and Accounting.
The structure is really showing the signs from when it was a smaller company, and now larger and divided.

I think my main challenges will be:

Who can become part of a group/new group without over reaching?

How can new groups get forced into lower folders without wiping out the current permission?
(Ex: Domain admin now a normal user but needing access to several folders deep.  If I put the group at the top level and then remove blocking below will it still wipe out NTFS ACLs as if forced from above?  I don't want to force a new group to the bottom folder and lose my current groups and users.)

Are there any new best practices or procedures for cleaning up rights?  Management is not interested in purchasing any tools to automate changes.   As of now I will just have the ability to run reports, and talk to supervisors about access for the department and other departments.  I don't want to delegate the power to the supervisors to add users.  I like to stay with groups if possible.  I also try to stay away from using any DENY for users or groups.  (However this might happen on the HR / Accounting folder).

I have safari library in case there are any good books recommended.
Maybe I need to move away from the trend to name groups similar to departments.  Maybe it should be security levels such as Engineer Level 1 - 5.  (not each Engineering department name).

Thanks in advance
Question by:PostQ
    LVL 9

    Expert Comment

    Use groups and group policy to set the rights,  it will help you big time and one person can be apart of multiple groups to perform different task, in different department.
    LVL 2

    Author Comment

    Seems like a nice way of adding per folder but it still looks like it will wipe out my ACL if I force permissions down the tree.
    (see add object box)
    LVL 9

    Accepted Solution

    only if you chose to replace existing permission
    the other option is to propagate  inherited permission
    LVL 2

    Author Comment

    It looks like a good option.  I do like the idea of the GPO enforcement even if someone tried to change permissions.

    I will test at a small scale - thanks
    LVL 9

    Expert Comment

    your welcome

    Featured Post

    Shouldn't all users have the same email signature?

    You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

    Join & Write a Comment

    AWS Glacier is Amazons cheapest storage option and is their answer to a ‘Cold’ storage service.  Customers primarily use this service for archival purposes and storage of infrastructure backups.  Its unlimited storage potential and low storage cost …
    Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
    This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
    This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now