NTFS Permissions - Best Practice when restructuring users/groups
Posted on 2014-09-02
I will be in the process of adding/changing rights for a large file share.
A few things I have noticed:
Inheritance blocked on several folders from the root. (No particular pattern)
Several departments now interact so more single users from other department have been applied to folders and not always a group.
Some supervisors will be losing domain admin. rights. (Given very early on.)
Users losing domain admin rights will have entire folder rights (department) in many places except HR and Accounting.
The structure is really showing the signs from when it was a smaller company, and now larger and divided.
I think my main challenges will be:
Who can become part of a group/new group without over reaching?
How can new groups get forced into lower folders without wiping out the current permission?
(Ex: Domain admin now a normal user but needing access to several folders deep. If I put the group at the top level and then remove blocking below will it still wipe out NTFS ACLs as if forced from above? I don't want to force a new group to the bottom folder and lose my current groups and users.)
Are there any new best practices or procedures for cleaning up rights? Management is not interested in purchasing any tools to automate changes. As of now I will just have the ability to run reports, and talk to supervisors about access for the department and other departments. I don't want to delegate the power to the supervisors to add users. I like to stay with groups if possible. I also try to stay away from using any DENY for users or groups. (However this might happen on the HR / Accounting folder).
I have safari library in case there are any good books recommended.
Maybe I need to move away from the trend to name groups similar to departments. Maybe it should be security levels such as Engineer Level 1 - 5. (not each Engineering department name).
Thanks in advance