Announcement

Collapse
No announcement yet.

Shares and mapping for users in AD

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Shares and mapping for users in AD

    I am in the process of planning a "re-design" of a 2003 AD that I am currently administrating.

    The situation today is that we have about 600 employees where almost half of them is logging on to Novell. All computers are members of the domain, but in reality I only have full controll over the half that is running a clean windows enviroment.

    Now I want to get rid of Novell once and for all, but that mean that I have to build up a new filestructure that all users can use without much training.

    Novell is actually really good when it comes to permissions and mappings and so on... If you dont have permission, you dont see the folder... if you see it, you got it... but now I want to change to windows for everyone...

    All clients are windows XP Pro.

    I have read several "best practices" but I am not sure what suits my users best.
    I have several departments and several admin-functions. (Sales, production, HR, IT, Business support and so on...)

    That brings me to the real question...

    What would you guys recommend?

    *Do you map every share to a diffrent driveletter?
    *Do you map the server to a driveletter so all users see all shares and only get access to the shares they are allowed to?
    *Do you use only security groups, or to you give users access directly to the shares or folders?

    If you know of any good threads or articles on the subject I would love to hear about it

    Tnx!
    Greetings from
    Petter C.
    Norway

  • #2
    Re: Shares and mapping for users in AD

    you remind me the old days, I still think the Netware has better permissions method and performance then the Microsoft Windows server.
    one of the draw backs of Windows is what you are asking for.
    there is a solution for it.
    for one to be able to access a folder , he needs "List Files/Folders" permissions.
    what you can do is create a share , on the share settings give every one Read/Write, and on the NTFS permissions give read only to the groups you would like to have access to.

    e.g. create a folder called "Data" - > share it, in that folder create sub folders representing company roles like "Sales" and "IT" etc.
    make sure that Data folder no one has permissions accept the Server Admins/Domain Admins/etc (but don't configure any deny access), on Sales sub folder attach the sales group, on the IT sub folder attach the IT group etc.
    I think that might work, if it doesn't then post here again and I'll give you another solution.
    Last edited by Akila; 7th November 2008, 13:58.

    Comment


    • #3
      Re: Shares and mapping for users in AD

      I bought the idea, but i cant seem to get it to work like intended.

      I have folder: testfolder
      In that folder i have subfolder1 and subfolder2

      I also have a testuser: testuser1
      Group: testgroup1 (testuser1 is member of this group)


      When i share testfolder and give everyone read-access, my testuser1 cannot access the share.
      If I give testgroup1 access in NTFS on the shared folder... testuser1 can access it, BUT then testuser1 can also see subfolder 1 and 2 because these folders inherit permissions from the top-folder.

      Maybe I am thinking/doing wrong?
      Greetings from
      Petter C.
      Norway

      Comment


      • #4
        Re: Shares and mapping for users in AD

        Hi, most companies follow drive letters like
        S:\ shared, under shared u put your sub folders, i.e sales, admin, marketing, ect
        U:\ User
        H:\ Home

        You map the drives from the workstation to a shared folder on the server, u can do it manually or with a log on script.

        Permissions are set with security groups on the ntfs permissions of the shared folder., sales,marketing,ect
        Please remember to award reputation points if you have received good advice.
        I do tend to think 'outside the box' so others may not always share the same views.

        MCITP -W7,
        MCSA+Messaging, CCENT, ICND2 slowly getting around to.

        Comment


        • #5
          Re: Shares and mapping for users in AD

          Done som more testing...

          When I create a new share and let everyone have access to the share as it is by default the users can open the share and see the folders i create under the share.

          I would think that i have to remove the "users" group from the ntfs-permissions on the subfolders to prevent them from seing the subfolders, but then I have to disable "inherited-permissions" on each folder also... is that the way it's supposed to be, or am I getting it all wrong?
          Greetings from
          Petter C.
          Norway

          Comment


          • #6
            Re: Shares and mapping for users in AD

            Originally posted by uk_network View Post
            You map the drives from the workstation to a shared folder on the server, u can do it manually or with a log on script.
            A logon script in a GPO would be preferable.

            As for what "most companies" do as standard - there isn't one. We map each share to a different drive letter.

            Microsoft's advised Best Practices suggest that you should grant share permissions to security groups rather than to individual users.
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment


            • #7
              Re: Shares and mapping for users in AD

              Try this in ur test environment. I took some of it from another thing i wrote cos i was lazy to type it all again.

              step1
              d:\
              I created a d:\ for users files and data, I've taken off all the permssions off the root except
              administrators (full control)
              system (full control)
              step2
              d:\shared
              Under that I have Shared
              Shared out with Authenticated users (full control)
              In the security tab I have added authenticated users with read n execute, list folder contents and read.
              step3
              d:\shared\petri
              Under shared I created a special folder called Petri
              In the security tab>advanced>Uncheck allow inheritable permissions>copy>click ok
              So i am back in the security tab, removed authenticated users
              then added my special group called 'petri' and set the permissions there.
              click, advanced, choose the 'petri' group>edit>uncheck
              full control
              take ownership
              change permisson
              delete

              You need to do step3 for every top level folder.

              Try that and see how it goes.
              Please remember to award reputation points if you have received good advice.
              I do tend to think 'outside the box' so others may not always share the same views.

              MCITP -W7,
              MCSA+Messaging, CCENT, ICND2 slowly getting around to.

              Comment


              • #8
                Re: Shares and mapping for users in AD

                Will try on monday...

                Seems like much administration everytime a user or department wants a new folder added, but maybe thats just the way it is?
                Greetings from
                Petter C.
                Norway

                Comment


                • #9
                  Re: Shares and mapping for users in AD

                  I would have thought it would only require administrator intervention whenever a new department is to be formed. Existing departments save their files into the department's existing share.
                  Gareth Howells

                  BSc (Hons), MBCS, MCP, MCDST, ICCE

                  Any advice is given in good faith and without warranty.

                  Please give reputation points if somebody has helped you.

                  "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                  "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                  Comment


                  • #10
                    Re: Shares and mapping for users in AD

                    You can do it however u like but if u give people too much access then they can view private data, delete everything or save files everywhere and make and mess.
                    Please remember to award reputation points if you have received good advice.
                    I do tend to think 'outside the box' so others may not always share the same views.

                    MCITP -W7,
                    MCSA+Messaging, CCENT, ICND2 slowly getting around to.

                    Comment


                    • #11
                      Re: Shares and mapping for users in AD

                      True, but that's an education issue not a technical issue. It's very difficult to overcome a dumb user's ideas without whipping them with a centronics cable
                      Gareth Howells

                      BSc (Hons), MBCS, MCP, MCDST, ICCE

                      Any advice is given in good faith and without warranty.

                      Please give reputation points if somebody has helped you.

                      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                      Comment


                      • #12
                        Re: Shares and mapping for users in AD

                        What I hate about Windows is the access based enumeration not enumerating the full path to something you have access to.

                        For example you have access to

                        \\fileserver\shared\private
                        And \\fileserver\shared\private\topsecret\dontcomehere \spydocuments\*.*

                        But you don't have access to topsecret, dontcomehere..

                        Novell would be intelligent enough to not show you the contents of "topsecret" except for "dontcomehere" - so you could navigate to your destination.

                        With Windows ABE...you just don't see anything and need to know the destination!

                        It is a problem mostly when implementing Windows based file sharing solutions for clients who have a really weird file structure and just want you to copy things and make them work "like they did on Novell!" with minimal involvement on their side.
                        VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

                        Comment


                        • #13
                          Re: Shares and mapping for users in AD

                          uk_network: Seem to work as intented. Tnx alot.

                          Still... Windows really sucks when it comes to sharing compared to Netware... My users will not be happy with this change...

                          Well... thats life
                          Greetings from
                          Petter C.
                          Norway

                          Comment


                          • #14
                            Re: Shares and mapping for users in AD

                            Originally posted by torcar View Post
                            My users will not be happy with this change...
                            Users are never happy spare the rod and spoil the rm -r
                            Gareth Howells

                            BSc (Hons), MBCS, MCP, MCDST, ICCE

                            Any advice is given in good faith and without warranty.

                            Please give reputation points if somebody has helped you.

                            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                            Comment

                            Working...
                            X