?
Solved

File Server NTFS Best practice / ICACLS examples

Posted on 2016-11-17
3
Medium Priority
?
446 Views
Last Modified: 2016-11-20
Hi all,
I am setting up a new file server and need to set ACL's, whilst I understand NTFS Permissions well, Im seeking best practices for a large corp. enviromnent.  Server 2012R2 Domain.

My boss has asked me to setup ICACLS scripts so permissions on folder structure can be reset quickly when we go live.

File Server will contain standard Office docs, A few Access DB's, and a few network based exe's.  

I am placing users in Domain Global Groups, Placing Domain Global Groups into Domain Local Groups , and applying permissions to Domain Local Groups.

For applying permissions to secure subfolders,

Question 1:
is it best to break inheritance and replace current ACLS (inheritance:r),  or copy current ACLs (inheritance:d)?

If I break and replace, do I need to grant  "NT AUTHORITY\SYSTEM" onto the ACL of each folder?.
Same question for "Creator Owners".

Finally, I am collecting ICACLS sample scripts to base my scripts on, so would appreciate any samples you may have.
Many thanks
String
0
Comment
Question by:TreadStone_IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 9

Accepted Solution

by:
Tomas Valenta earned 1000 total points
ID: 41892649
answer 1)
in most cases it is necessary to break inheritance to meet security requirements for folder structure and recommend
to replace
Of course you need (I hope) to backup your shared data and for this job your backup software (or scripts) needs to have
permission to read data. Therefore you can use "NT AUTHORITY\SYSTEM" and run the backup procedure in context of this account or use builtin backup account on the server.
I am not using scripts for resetting permissions while moving files from old to the new server. I copy only folder structure
by robocopy, configure right security permission on the new server and then I copy all files but without permission (the files
inherite permissions of the new file server. Requirement is to freeze folder structure for time between moving file server.
0
 
LVL 25

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 1000 total points
ID: 41893761
Set your permission by breaking inheritance and granting explicit rights.  Ensure to include at least domain admins for all folders security.  In most organizations, backups are run using an account as well as NT Authority (i.e. this is how NetBackup works) and to include these accounts also.
0
 

Author Closing Comment

by:TreadStone_IT
ID: 41895311
Thanks fella's for assisting.
I have managed to rollout my icacls scripts and working nicely.
Here is a sample line incase anyone else needs to follow:

icacls E:\Data\NP /inheritance:r /grant:r Administrators:(OI)(CI)F "ACME\Domain Admins":(OI)(CI)F "ACME\NP-Folder-W-L":(OI)(CI)M "NT AUTHORITY\SYSTEM":(OI)(CI)F

Cheers
String
0

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Wind…
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question