Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 798
  • Last Modified:

File Server NTFS Best practice / ICACLS examples

Hi all,
I am setting up a new file server and need to set ACL's, whilst I understand NTFS Permissions well, Im seeking best practices for a large corp. enviromnent.  Server 2012R2 Domain.

My boss has asked me to setup ICACLS scripts so permissions on folder structure can be reset quickly when we go live.

File Server will contain standard Office docs, A few Access DB's, and a few network based exe's.  

I am placing users in Domain Global Groups, Placing Domain Global Groups into Domain Local Groups , and applying permissions to Domain Local Groups.

For applying permissions to secure subfolders,

Question 1:
is it best to break inheritance and replace current ACLS (inheritance:r),  or copy current ACLs (inheritance:d)?

If I break and replace, do I need to grant  "NT AUTHORITY\SYSTEM" onto the ACL of each folder?.
Same question for "Creator Owners".

Finally, I am collecting ICACLS sample scripts to base my scripts on, so would appreciate any samples you may have.
Many thanks
String
0
TreadStone_IT
Asked:
TreadStone_IT
2 Solutions
 
Tomas ValentaIT ManagerCommented:
answer 1)
in most cases it is necessary to break inheritance to meet security requirements for folder structure and recommend
to replace
Of course you need (I hope) to backup your shared data and for this job your backup software (or scripts) needs to have
permission to read data. Therefore you can use "NT AUTHORITY\SYSTEM" and run the backup procedure in context of this account or use builtin backup account on the server.
I am not using scripts for resetting permissions while moving files from old to the new server. I copy only folder structure
by robocopy, configure right security permission on the new server and then I copy all files but without permission (the files
inherite permissions of the new file server. Requirement is to freeze folder structure for time between moving file server.
0
 
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Set your permission by breaking inheritance and granting explicit rights.  Ensure to include at least domain admins for all folders security.  In most organizations, backups are run using an account as well as NT Authority (i.e. this is how NetBackup works) and to include these accounts also.
0
 
TreadStone_ITAuthor Commented:
Thanks fella's for assisting.
I have managed to rollout my icacls scripts and working nicely.
Here is a sample line incase anyone else needs to follow:

icacls E:\Data\NP /inheritance:r /grant:r Administrators:(OI)(CI)F "ACME\Domain Admins":(OI)(CI)F "ACME\NP-Folder-W-L":(OI)(CI)M "NT AUTHORITY\SYSTEM":(OI)(CI)F

Cheers
String
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now