Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

File Server NTFS Best practice / ICACLS examples

Posted on 2016-11-17
3
Medium Priority
?
569 Views
Last Modified: 2016-11-20
Hi all,
I am setting up a new file server and need to set ACL's, whilst I understand NTFS Permissions well, Im seeking best practices for a large corp. enviromnent.  Server 2012R2 Domain.

My boss has asked me to setup ICACLS scripts so permissions on folder structure can be reset quickly when we go live.

File Server will contain standard Office docs, A few Access DB's, and a few network based exe's.  

I am placing users in Domain Global Groups, Placing Domain Global Groups into Domain Local Groups , and applying permissions to Domain Local Groups.

For applying permissions to secure subfolders,

Question 1:
is it best to break inheritance and replace current ACLS (inheritance:r),  or copy current ACLs (inheritance:d)?

If I break and replace, do I need to grant  "NT AUTHORITY\SYSTEM" onto the ACL of each folder?.
Same question for "Creator Owners".

Finally, I am collecting ICACLS sample scripts to base my scripts on, so would appreciate any samples you may have.
Many thanks
String
0
Comment
Question by:TreadStone_IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 9

Accepted Solution

by:
Tomas Valenta earned 1000 total points
ID: 41892649
answer 1)
in most cases it is necessary to break inheritance to meet security requirements for folder structure and recommend
to replace
Of course you need (I hope) to backup your shared data and for this job your backup software (or scripts) needs to have
permission to read data. Therefore you can use "NT AUTHORITY\SYSTEM" and run the backup procedure in context of this account or use builtin backup account on the server.
I am not using scripts for resetting permissions while moving files from old to the new server. I copy only folder structure
by robocopy, configure right security permission on the new server and then I copy all files but without permission (the files
inherite permissions of the new file server. Requirement is to freeze folder structure for time between moving file server.
0
 
LVL 25

Assisted Solution

by:Mohammed Khawaja
Mohammed Khawaja earned 1000 total points
ID: 41893761
Set your permission by breaking inheritance and granting explicit rights.  Ensure to include at least domain admins for all folders security.  In most organizations, backups are run using an account as well as NT Authority (i.e. this is how NetBackup works) and to include these accounts also.
0
 

Author Closing Comment

by:TreadStone_IT
ID: 41895311
Thanks fella's for assisting.
I have managed to rollout my icacls scripts and working nicely.
Here is a sample line incase anyone else needs to follow:

icacls E:\Data\NP /inheritance:r /grant:r Administrators:(OI)(CI)F "ACME\Domain Admins":(OI)(CI)F "ACME\NP-Folder-W-L":(OI)(CI)M "NT AUTHORITY\SYSTEM":(OI)(CI)F

Cheers
String
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question