I am setting up a new file server and need to set ACL's, whilst I understand NTFS Permissions well, Im seeking best practices for a large corp. enviromnent. Server 2012R2 Domain.
My boss has asked me to setup ICACLS scripts so permissions on folder structure can be reset quickly when we go live.
File Server will contain standard Office docs, A few Access DB's, and a few network based exe's.
I am placing users in Domain Global Groups, Placing Domain Global Groups into Domain Local Groups , and applying permissions to Domain Local Groups.
For applying permissions to secure subfolders,
is it best to break inheritance and replace current ACLS (inheritance:r), or copy current ACLs (inheritance:d)?
If I break and replace, do I need to grant "NT AUTHORITY\SYSTEM" onto the ACL of each folder?.
Same question for "Creator Owners".
Finally, I am collecting ICACLS sample scripts to base my scripts on, so would appreciate any samples you may have.