Any good NTFS permission primer or suggestions

[rsutoratosu]

So I run into this a lot with servers I setup. File shares and permission for sub/nested folders 10 levels down.

Most common are like Accounting, HR, Blah, Blah2, Blah3

So permission are setup are
Accounting Share (Change);
Accounting Group R/W - Read/write
Accounting Group R - Read only

The problem is once everything is set, I'll get these weird request like oh Person XYZ needs accounting\2010\Feb\XYZ\ABCD folder but nothing else. So how would you go about giving the guy access ?

Like I don't want to create 50,000 groups memberships or 50,000 shares for people. Is there an easier way to give him access to that folder using existing groups or do I need to do something else ?

And as time goes, it'll be like someone needs march\xyz but not this or someone else comes and needs another different directory, etc which makes groups kinda useless


Accounting
-2010
--Jan
---XYZ
----ABCD

--Feb
---XYZ
----ABCD

--Mar
---XYZ
----ABCD

-2011
--Jan
---XYZ
----ABCD

--Feb
---XYZ
----ABCD

--Mar
---XYZ
----ABCD

 

[xSauronx]

at some point you have to trust employees, imo. ive been at the current place for only a month so im still figuring out the oddities, but typically there are very few oddball permissions handed out.

if someone needs access to accounting\departments\reports\monthly-report and a group already has access to accounting\departments, they will go in that group. odds are they are going to need to get into that folder for other reports later anyway, and if you can trust them with one they can probably be trusted with others.

talk this over with people who use/interact with that kinda of data and see if theres a reason you cant generally just move people into groups for access like this, even if you have to take them out a month later.

if they just need a copy for review, someone can just email them the copy so you dont have to drive yourself nuts over something like that, imo.

 

[Lifted]

Everyone who is responsible for a file server has to deal with this. That's why you get paid the big bucks.

Yes, you will end up with thousands of local security groups covering for the resources (folders) within the shares. Yes, security on each folder will look like a minefield. Yes, the next person will go insane trying to figure it all out. IMO as long as you're consistent, and document the procedure, it shouldn't take too long to figure out.

The method I've grown to use:

\\products\fruit\oranges\navel\

If somebody needs access to the navel folder within the products share, I will either:

a) Create a security group for each folder and assign the permissions required to navigate through the share to that resource, applying the permissions to "this folder only".

The advantage to this method is you can reuse the security groups later if you know this is a heavily used resource.

b) Create one security group for all folders and assign the permissions required to navigate through the share to that resource, applying the permissions to "this folder only".

This is obviously a bit quicker for when you're either feeling lazy or think there won't be many future requests for such granular permissions in that share due to low volume of files or people accessing the share.

Combined with access-based enumeration, the department managers and security auditors should be satisfied that employees cannot view or access resources they don't have access to. Document the procedure for providing access to resources on file servers and stick to that procedure. After all, CYA is everyones number one priority.

 

[Lifted]

if someone needs access to accounting\departments\reports\monthly-report and a group already has access to accounting\departments, they will go in that group. odds are they are going to need to get into that folder for other reports later anyway, and if you can trust them with one they can probably be trusted with others.

I do not recommend anyone give out permissions willy-nilly due to lazy-logic such as "odds are" and "probably". If any of my staff did this I'd fire them without giving it a second thought.

 

[rsutoratosu]

Oh well.. I guess ill do it the old fashion way.. 50,000 shares

ahahahahah

thanks

 

[JoeBleed]

I do not recommend anyone give out permissions willy-nilly due to lazy-logic such as "odds are" and "probably". If any of my staff did this I'd fire them without giving it a second thought.

No kidding, especially if you need to meet/pass standards and security audits.

For the situation you describe, we have a departments directory and a public directory. public gets departments under it where they can place files others need to see; but not change.

\\server\share\departments
\\server\share\public\departments

Unlike our cooperate office, we try and keep the number of base shares low and use directories and rights for file sharing. This aids in keeping drive letters consistent across our location so we don't run into people using the wrong drive letter for access to things.

We also try and create descriptive groups for people that need odd access to places they normal wouldn't be able to get too. We do make a few exceptions for direct user access rights; but we try and avoid it most of the time.

And don't be afraid of using the description box for groups. It's very helpful.

Learn from my mistake as i should have learned from it before. Don't setup a temp share and let people use it willy-nilly for extended periods of time. When it comes time to get people away from it and mixed into the regular structure, you'll probably have a hell of a fight on your hands. General users will make a damn mess out of a directory tree in a heartbeat.