Solved

File Server NTFS Best practice / ICACLS examples

Posted on 2016-11-17
3
109 Views
Last Modified: 2016-11-20
Hi all,
I am setting up a new file server and need to set ACL's, whilst I understand NTFS Permissions well, Im seeking best practices for a large corp. enviromnent.  Server 2012R2 Domain.

My boss has asked me to setup ICACLS scripts so permissions on folder structure can be reset quickly when we go live.

File Server will contain standard Office docs, A few Access DB's, and a few network based exe's.  

I am placing users in Domain Global Groups, Placing Domain Global Groups into Domain Local Groups , and applying permissions to Domain Local Groups.

For applying permissions to secure subfolders,

Question 1:
is it best to break inheritance and replace current ACLS (inheritance:r),  or copy current ACLs (inheritance:d)?

If I break and replace, do I need to grant  "NT AUTHORITY\SYSTEM" onto the ACL of each folder?.
Same question for "Creator Owners".

Finally, I am collecting ICACLS sample scripts to base my scripts on, so would appreciate any samples you may have.
Many thanks
String
0
Comment
Question by:TreadStone_IT
3 Comments
 
LVL 9

Accepted Solution

by:
Tomas Valenta earned 250 total points
ID: 41892649
answer 1)
in most cases it is necessary to break inheritance to meet security requirements for folder structure and recommend
to replace
Of course you need (I hope) to backup your shared data and for this job your backup software (or scripts) needs to have
permission to read data. Therefore you can use "NT AUTHORITY\SYSTEM" and run the backup procedure in context of this account or use builtin backup account on the server.
I am not using scripts for resetting permissions while moving files from old to the new server. I copy only folder structure
by robocopy, configure right security permission on the new server and then I copy all files but without permission (the files
inherite permissions of the new file server. Requirement is to freeze folder structure for time between moving file server.
0
 
LVL 25

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 250 total points
ID: 41893761
Set your permission by breaking inheritance and granting explicit rights.  Ensure to include at least domain admins for all folders security.  In most organizations, backups are run using an account as well as NT Authority (i.e. this is how NetBackup works) and to include these accounts also.
0
 

Author Closing Comment

by:TreadStone_IT
ID: 41895311
Thanks fella's for assisting.
I have managed to rollout my icacls scripts and working nicely.
Here is a sample line incase anyone else needs to follow:

icacls E:\Data\NP /inheritance:r /grant:r Administrators:(OI)(CI)F "ACME\Domain Admins":(OI)(CI)F "ACME\NP-Folder-W-L":(OI)(CI)M "NT AUTHORITY\SYSTEM":(OI)(CI)F

Cheers
String
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits y…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question