Solved

File Server NTFS Best practice / ICACLS examples

Posted on 2016-11-17
3
292 Views
Last Modified: 2016-11-20
Hi all,
I am setting up a new file server and need to set ACL's, whilst I understand NTFS Permissions well, Im seeking best practices for a large corp. enviromnent.  Server 2012R2 Domain.

My boss has asked me to setup ICACLS scripts so permissions on folder structure can be reset quickly when we go live.

File Server will contain standard Office docs, A few Access DB's, and a few network based exe's.  

I am placing users in Domain Global Groups, Placing Domain Global Groups into Domain Local Groups , and applying permissions to Domain Local Groups.

For applying permissions to secure subfolders,

Question 1:
is it best to break inheritance and replace current ACLS (inheritance:r),  or copy current ACLs (inheritance:d)?

If I break and replace, do I need to grant  "NT AUTHORITY\SYSTEM" onto the ACL of each folder?.
Same question for "Creator Owners".

Finally, I am collecting ICACLS sample scripts to base my scripts on, so would appreciate any samples you may have.
Many thanks
String
0
Comment
Question by:TreadStone_IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 9

Accepted Solution

by:
Tomas Valenta earned 250 total points
ID: 41892649
answer 1)
in most cases it is necessary to break inheritance to meet security requirements for folder structure and recommend
to replace
Of course you need (I hope) to backup your shared data and for this job your backup software (or scripts) needs to have
permission to read data. Therefore you can use "NT AUTHORITY\SYSTEM" and run the backup procedure in context of this account or use builtin backup account on the server.
I am not using scripts for resetting permissions while moving files from old to the new server. I copy only folder structure
by robocopy, configure right security permission on the new server and then I copy all files but without permission (the files
inherite permissions of the new file server. Requirement is to freeze folder structure for time between moving file server.
0
 
LVL 25

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 250 total points
ID: 41893761
Set your permission by breaking inheritance and granting explicit rights.  Ensure to include at least domain admins for all folders security.  In most organizations, backups are run using an account as well as NT Authority (i.e. this is how NetBackup works) and to include these accounts also.
0
 

Author Closing Comment

by:TreadStone_IT
ID: 41895311
Thanks fella's for assisting.
I have managed to rollout my icacls scripts and working nicely.
Here is a sample line incase anyone else needs to follow:

icacls E:\Data\NP /inheritance:r /grant:r Administrators:(OI)(CI)F "ACME\Domain Admins":(OI)(CI)F "ACME\NP-Folder-W-L":(OI)(CI)M "NT AUTHORITY\SYSTEM":(OI)(CI)F

Cheers
String
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
Use this article to create a batch file to backup a Microsoft SQL Server database to a Windows folder.  The folder can be on the local hard drive or on a network share.  This batch file will query the SQL server to get the current date & time and wi…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question