Share/Ntfs Permissions, the Right way.

Share/Ntfs Permissions, the Right way.

I have seen 2 ways Administrators design their  Share/Ntfs Permissions.

**Some Administrators , create a Share  and give Authenticated Users Full Control in Share permissions. Then in Security tab of the Share they give permissions to Active Directory Groups that needs to have access to the Share and folders inside the Share.

**Other Administrators, they create a Share and give Authenticated Users Full Control in Share Permissions. in Security tab of the Share , they leave everything to the default, they do not change anything.
Then they create a folder inside the Share, they name it for instance "Departments" which will be the top folder. in Security tab of "Departments" folder,they give READ permissions to Authenticated Users (This folder Only), and they give for instance Domain Admins, Enterprise Admins, Full Control (This folder, Subfolders and Files).

Then Under "Departments" folder , when they get a request , they will create folders for each department, ex : Accounting, Marketing,etc...and they add appropriate AD group to the folder permissions.

---So I am familiar with the second options that Administrator use, but I am not sure if the first option is best practice or it is wrong, or is something to avoid.

any Clarification will be very much appreciated.

Thank you
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shaun VermaakTechnical SpecialistCommented:
1) Create departments groups
2) Add all department groups to All Department group
3) Create a folder Departments
4) Share Departments with All Department change
5) In NTFS remove users permissions and All Department with list folders permission
6) Enable ABE on share
7) Create department folder in departments, disable inheritance and add Department Group in NTFS permission
8) Map drive with All Department group as item level filtering
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
This are two different purposes.
The first way is used if you have a few shares only, which are used commonly by different people. Like documents everyone needs access to.
The second one is much easier to maintain for user folders, without having (general) shared access.
jskfanAuthor Commented:
Shaun Vermaak

Is this the same as 2nd Option I have listed in my Question ?
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Adam BrownSr Solutions ArchitectCommented:
Either option is acceptable, depending on purpose. For instance, with redirected User folders, you would have a root share folder that grants end users read access in NTFS (or List Folder Contents permission, if you want to be strict, plus write permission to be able to create a folder the first time), then the permissions for folders are managed per folder from there. This is the least administrative effort tactic.

For things like having different departments, you can create shares for each department at the department folder level, granting permission for the Share as authenticated users with full access and NTFS granting access as needed and use Access Based Enumeration to hide shares/files that people can't access. Or you can use the method you note in #2. There are potential drawbacks to each method, but the differences and minor. It takes less time to *create* the shares with your method 2 than having separate shares, but the time saved is lost by users having to navigate through the share to find their department if they arrive at the root share. So from an efficiency standpoint, it's basically a wash, which means you can do either.

There isn't a "right" way to do things in IT, most of the time. There are definitely "wrong" ways to do things (like, for instance, opening port 3389 for RDP up to the Internet). But most of the time you have to weigh benefits against costs of varying type. Administrative effort is only one potential cost.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It depends on how much and what kind of data you have, what is total user base, what ease of restrictions you want. Once your folder structure is decided based on above factors, then you will get answer if 1st option is fine or 2nd option is fine.
Ex: When only specific people would require control of entire folder and there are few folders, 1st option would better. However such folders quantity is more, this way you need to create lots of root share folders and need to manage those in terms of backup, restoration adding removing group members etc, however *per folder* administration is easy as compared to 2nd option as you are managing few people per folder and permission complexity is less.

If user level restrictions are more specific and more restrictive, then 2nd option is best where you will put majority of data in one container and manage NTFS level restrictions. this option gives you granular control on entire folder and you will have less backup schedules as once you add root share in backup, it will backup recursively

The one thing *common* you have not mentioned in both options is to removal of "Creator owner" group from root share at start or when you create new share
This is recommended to avoid permissions issues
jskfanAuthor Commented:
Thank you all Guys !
Senior IT System EngineerIT ProfessionalCommented:
Is this something that is called RBAC ?
Role based access control
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
Most organizations find it easier to configure Share permissions as Everyone or Authenticated Users as Full Control, and then use NTFS permissions to perform the actual access control.  You can't use NTFS to grant a higher level of effective permissions than the share (I.e., you can't grant a READ ONLY permission at the Share Level for a user or group and then grant that same user or group CHANGE permissions at the file or folder level.  They'll be restricted to READ ONLY, since that is set at the lowest level).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.