[Last Call] Learn how to a build a cloud-first strategyRegister Now


NTFS Permissions - Best Practice when restructuring users/groups

Posted on 2014-09-02
Medium Priority
Last Modified: 2014-09-02
I will be in the process of adding/changing rights for a large file share.

A few things I have noticed:
Inheritance blocked on several folders from the root.  (No particular pattern)
Several departments now interact so more single users from other department have been applied to folders and not always a group.
Some supervisors will be losing domain admin. rights.  (Given very early on.)
Users losing domain admin rights will have entire folder rights (department) in many places except HR and Accounting.
The structure is really showing the signs from when it was a smaller company, and now larger and divided.

I think my main challenges will be:

Who can become part of a group/new group without over reaching?

How can new groups get forced into lower folders without wiping out the current permission?
(Ex: Domain admin now a normal user but needing access to several folders deep.  If I put the group at the top level and then remove blocking below will it still wipe out NTFS ACLs as if forced from above?  I don't want to force a new group to the bottom folder and lose my current groups and users.)

Are there any new best practices or procedures for cleaning up rights?  Management is not interested in purchasing any tools to automate changes.   As of now I will just have the ability to run reports, and talk to supervisors about access for the department and other departments.  I don't want to delegate the power to the supervisors to add users.  I like to stay with groups if possible.  I also try to stay away from using any DENY for users or groups.  (However this might happen on the HR / Accounting folder).

I have safari library in case there are any good books recommended.
Maybe I need to move away from the trend to name groups similar to departments.  Maybe it should be security levels such as Engineer Level 1 - 5.  (not each Engineering department name).

Thanks in advance
Question by:PostQ
  • 3
  • 2
LVL 14

Expert Comment

by:Natty Greg
ID: 40298937
Use groups and group policy to set the rights,  it will help you big time and one person can be apart of multiple groups to perform different task, in different department.

Author Comment

ID: 40298963
Seems like a nice way of adding per folder but it still looks like it will wipe out my ACL if I force permissions down the tree.

(see add object box)
LVL 14

Accepted Solution

Natty Greg earned 2000 total points
ID: 40298996
only if you chose to replace existing permission
the other option is to propagate  inherited permission

Author Comment

ID: 40299003
It looks like a good option.  I do like the idea of the GPO enforcement even if someone tried to change permissions.

I will test at a small scale - thanks
LVL 14

Expert Comment

by:Natty Greg
ID: 40299013
your welcome

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
A look at what happened in the Verizon cloud breach.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses
Course of the Month18 days, 10 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question