troubleshooting Question

NTFS Permissions - Best Practice when restructuring users/groups

Avatar of PostQ
PostQFlag for United States of America asked on
StorageNetwork SecurityMicrosoft Server OS
5 Comments1 Solution383 ViewsLast Modified:
I will be in the process of adding/changing rights for a large file share.

A few things I have noticed:
Inheritance blocked on several folders from the root.  (No particular pattern)
Several departments now interact so more single users from other department have been applied to folders and not always a group.
Some supervisors will be losing domain admin. rights.  (Given very early on.)
Users losing domain admin rights will have entire folder rights (department) in many places except HR and Accounting.
The structure is really showing the signs from when it was a smaller company, and now larger and divided.

I think my main challenges will be:

Who can become part of a group/new group without over reaching?

How can new groups get forced into lower folders without wiping out the current permission?
(Ex: Domain admin now a normal user but needing access to several folders deep.  If I put the group at the top level and then remove blocking below will it still wipe out NTFS ACLs as if forced from above?  I don't want to force a new group to the bottom folder and lose my current groups and users.)

Are there any new best practices or procedures for cleaning up rights?  Management is not interested in purchasing any tools to automate changes.   As of now I will just have the ability to run reports, and talk to supervisors about access for the department and other departments.  I don't want to delegate the power to the supervisors to add users.  I like to stay with groups if possible.  I also try to stay away from using any DENY for users or groups.  (However this might happen on the HR / Accounting folder).

I have safari library in case there are any good books recommended.
Maybe I need to move away from the trend to name groups similar to departments.  Maybe it should be security levels such as Engineer Level 1 - 5.  (not each Engineering department name).

Thanks in advance
Natty Greg
In Theory (IT)

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 5 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 5 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros