How to make a DFS share RO to entire company while still allowing RW access to a few users

I work for a very large company, spread across multiple domains (due to several acquisitions over the years). Each domain has the same set of divisions. Let's call them Corporate, Games, Mobile, and Timeshare.
I'm responsible for migrating my employer's file system to DFS and eventually consolidating these domains.
I have one share that needs to be accessible via RO by an entire division (Games), and via RW for a few select people.
We do not have a list of all of the employees in the Games division. Originally I was considering writing a script that checks the AD account's department field (hoping that each user even has that field filled out), but boss man said let's try a simpler route, as doing that would affect the on-boarding process of new users as well. As the data owner didn't mind opening it RO to the entire company, for sake of ease, he suggested adding the Domain Users group to the RO security group for the share, and then just adding the users who need RW access to the RW group. We realized that wouldn't work as it would take the lowest permission and apply them for the RW users.

This leaves me wondering if there is another method to achieve this?

ALSO, we cannot use dynamic groups.
Jabari MasseyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
he suggested adding the Domain Users group to the RO security group for the share, and then just adding the users who need RW access to the RW group. We realized that wouldn't work as it would take the lowest permission and apply them for the RW users.

Your use of RO, RW, and this all or nothing concept is very Unix oriented.  NTFS has a robust and complex permissions strategy with precedence.


RO is not appropriate here.  That implies "Read *ONLY*" (emphasis mine.)  But windows doesn't think that way.  Permissions are cumulative.  Users with write access will have that permission added to their token when the authenticate, so it isn't a matter of "lowest" permissions being selected and enforced.   The suggestion provided will work as intended unless you have very complex inheritance and deny permissions in the mix.
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lawrence TsePrinciple ConsultantCommented:
Cliff above is correct.  Complementing answer above, Windows only have "deny" permission is overriding everything, that means unless you specify "deny write" and leave only "read" is selected, another user with "read & write" permission, even that use is asl in the "only read is selected" group, that user will be able to perform write operations.
0
PberSolutions ArchitectCommented:
I agree as above as well, however don't forget NTFS security along with the Share security.  The above situation will work share wise, however if the NTFS security is set more restrictive (i.e.  You don't have the special users with Write ability), then it doesn't matter what you give the users at the share, NTFS will be the most restricting.
0
arnoldCommented:
the structure of your dfs namespace cones into play.

As others pointed out, you can limit based on share permissions which group/user has write rights. In the case of share permission, so long as you do not use deny which enforces, a user being a member of both RO security and RW sevurity group , the user based on RW permissions will be allowed to write based on share permission and only will be restricted if at all by the ntfs security.

The main issue deals with inheritance rights.

Are you organizing hierarchical  namespace. Depending on the nature, you may wish to consider using a document management system that includes rights management as well as versioning control meaning change us trucked as well as handles/deals with curbing the potential conflict of two users making changes to the same document at the same time.
0
Jabari MasseyAuthor Commented:
Thank you. You were right, indeed!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Distributed File System (DFS)

From novice to tech pro — start learning today.