File Sharing and Security Settings Workstation RESET
We are converting an enterprise from peer-to-peer to a domain.
The file sharing approach has been fairly open between workstations and, in some cases, has been tightened up.
The result is a hodgepodge of permissions.
When joining to a domain, some of the definitions of Groups and permissions change. Authenticated Users is one of those.
What I'd like to do is to remove all the permissions and start fresh with the domain-joined computers. So, no file sharing at all at that point.
Many of these computers will be left in this state hereafter.
Others will have specific permissions added so they can be (will continue to be) file servers.
Are there any permissions that should be left alone and NOT removed?
I guess one could say that if the Sharing permissions are all not ALLOW, then that will be the most restrictive.
But, for the file serving computers, Sharingis likely to be set at ALL ALLOW.
That leaves the Security settings....
What's best practice?
The file sharing approach has been fairly open between workstations and, in some cases, has been tightened up.
The result is a hodgepodge of permissions.
When joining to a domain, some of the definitions of Groups and permissions change. Authenticated Users is one of those.
What I'd like to do is to remove all the permissions and start fresh with the domain-joined computers. So, no file sharing at all at that point.
Many of these computers will be left in this state hereafter.
Others will have specific permissions added so they can be (will continue to be) file servers.
Are there any permissions that should be left alone and NOT removed?
I guess one could say that if the Sharing permissions are all not ALLOW, then that will be the most restrictive.
But, for the file serving computers, Sharingis likely to be set at ALL ALLOW.
That leaves the Security settings....
What's best practice?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is an important topic. Maybe folks think they understand it all. Maybe this will help clarify to others?
Thanks Eridzone!!
Thanks Eridzone!!
ASKER
Eridzone: I made a marked up copy of your paper. One of my questions today was about ownership. I don't see that you mentioned ownership. What might you recommend for a *workstation* share in a domain setting?
ASKER
If we might take this a step further:
Many of our "file servers" will be Windows 10 Pro workstations - at least in the near term. I'm not sure it matters but it's worth mentioning.
The workstations come with default folder permissions.
I think I fairly well understand the relationship between Share Permissions and Security (NTFS) Permissions. So, my question starts there.
I see that a default folder is NOT SHARED - no surprise.
So, one might add sharing to see if it affects Security:
If we create a folder and share it without further settings, we get:
If one uses Sharing to Allow all permissions (or Deny some) then that may trump Security permissions. That's why it's often suggested that all Shared permissions be Allow and Security / NTFS be used to actually apply permissions.
The question that remains is why are there these Security groups:
Everyone
Authenticated Users
SYSTEM
Administrators (Local\Administrators)
Users (Local\Administrators)
How might one decide to use them or some of them? Of course, their definitions enter into that.
The alternative is to throw them all out.
It's recommended that SYSTEM not be removed but I'm no expert as to why.
I believe that Everyone in Security / NTFS changes rather drastically in going from a non-domain-joined computer to one that's domain-joined. So that's an example, I believe, of NOT using Everyone in a domain environment. Authenticated Users may be the same.
Perhaps we have both answered my intended question.
Use Groups as you outlined and throw out the default Groups seems to be the conclusion.
Am I close?