NTFS Permissions - Best Practice when restructuring users/groups

I will be in the process of adding/changing rights for a large file share.

A few things I have noticed:
Inheritance blocked on several folders from the root.  (No particular pattern)
Several departments now interact so more single users from other department have been applied to folders and not always a group.
Some supervisors will be losing domain admin. rights.  (Given very early on.)
Users losing domain admin rights will have entire folder rights (department) in many places except HR and Accounting.
The structure is really showing the signs from when it was a smaller company, and now larger and divided.

I think my main challenges will be:

Who can become part of a group/new group without over reaching?

How can new groups get forced into lower folders without wiping out the current permission?
(Ex: Domain admin now a normal user but needing access to several folders deep.  If I put the group at the top level and then remove blocking below will it still wipe out NTFS ACLs as if forced from above?  I don't want to force a new group to the bottom folder and lose my current groups and users.)

Are there any new best practices or procedures for cleaning up rights?  Management is not interested in purchasing any tools to automate changes.   As of now I will just have the ability to run reports, and talk to supervisors about access for the department and other departments.  I don't want to delegate the power to the supervisors to add users.  I like to stay with groups if possible.  I also try to stay away from using any DENY for users or groups.  (However this might happen on the HR / Accounting folder).

I have safari library in case there are any good books recommended.
Maybe I need to move away from the trend to name groups similar to departments.  Maybe it should be security levels such as Engineer Level 1 - 5.  (not each Engineering department name).

Thanks in advance
LVL 2
PostQAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Natty GregIn Theory (IT)Commented:
Use groups and group policy to set the rights,  it will help you big time and one person can be apart of multiple groups to perform different task, in different department.
0
PostQAuthor Commented:
Seems like a nice way of adding per folder but it still looks like it will wipe out my ACL if I force permissions down the tree.

http://msdirectoryservices.wordpress.com/2012/01/13/set-ntfs-folder-permissions-using-gpo/
(see add object box)
0
Natty GregIn Theory (IT)Commented:
only if you chose to replace existing permission
the other option is to propagate  inherited permission
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PostQAuthor Commented:
It looks like a good option.  I do like the idea of the GPO enforcement even if someone tried to change permissions.

I will test at a small scale - thanks
0
Natty GregIn Theory (IT)Commented:
your welcome
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Storage

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.