Share/Ntfs Permissions, the Right way.
Share/Ntfs Permissions, the Right way.
I have seen 2 ways Administrators design their Share/Ntfs Permissions.
**Some Administrators , create a Share and give Authenticated Users Full Control in Share permissions. Then in Security tab of the Share they give permissions to Active Directory Groups that needs to have access to the Share and folders inside the Share.
**Other Administrators, they create a Share and give Authenticated Users Full Control in Share Permissions. in Security tab of the Share , they leave everything to the default, they do not change anything.
Then they create a folder inside the Share, they name it for instance "Departments" which will be the top folder. in Security tab of "Departments" folder,they give READ permissions to Authenticated Users (This folder Only), and they give for instance Domain Admins, Enterprise Admins, Full Control (This folder, Subfolders and Files).
Then Under "Departments" folder , when they get a request , they will create folders for each department, ex : Accounting, Marketing,etc...and they add appropriate AD group to the folder permissions.
---So I am familiar with the second options that Administrator use, but I am not sure if the first option is best practice or it is wrong, or is something to avoid.
any Clarification will be very much appreciated.
Thank you
I have seen 2 ways Administrators design their Share/Ntfs Permissions.
**Some Administrators , create a Share and give Authenticated Users Full Control in Share permissions. Then in Security tab of the Share they give permissions to Active Directory Groups that needs to have access to the Share and folders inside the Share.
**Other Administrators, they create a Share and give Authenticated Users Full Control in Share Permissions. in Security tab of the Share , they leave everything to the default, they do not change anything.
Then they create a folder inside the Share, they name it for instance "Departments" which will be the top folder. in Security tab of "Departments" folder,they give READ permissions to Authenticated Users (This folder Only), and they give for instance Domain Admins, Enterprise Admins, Full Control (This folder, Subfolders and Files).
Then Under "Departments" folder , when they get a request , they will create folders for each department, ex : Accounting, Marketing,etc...and they add appropriate AD group to the folder permissions.
---So I am familiar with the second options that Administrator use, but I am not sure if the first option is best practice or it is wrong, or is something to avoid.
any Clarification will be very much appreciated.
Thank you
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you all Guys !
Is this something that is called RBAC ?
Role based access control
Role based access control
Most organizations find it easier to configure Share permissions as Everyone or Authenticated Users as Full Control, and then use NTFS permissions to perform the actual access control. You can't use NTFS to grant a higher level of effective permissions than the share (I.e., you can't grant a READ ONLY permission at the Share Level for a user or group and then grant that same user or group CHANGE permissions at the file or folder level. They'll be restricted to READ ONLY, since that is set at the lowest level).
ASKER
Is this the same as 2nd Option I have listed in my Question ?