Announcement

Collapse
No announcement yet.

Share Permissions

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Share Permissions

    The HR dept within a company I am working for has requested that everyone BUT the HR team be denied access to their area due to confidential information including IT.

    The objective is for the IT team to be able to manage the folder structure of the HR area, but not be allowed to view or modify the documents contained within it even at admin levels.

    Are any of you aware of a (preferably native to 2003) solution for this - Im thinking along the lines of file encryption, but would anticipate user issues with this.

  • #2
    Re: Share Permissions

    The only way to deny access to document content while retaining management functions is encryption. There is a discussion on encryption somewhere, but for large volumes of data (which HR tends to be) I would NOT suggest using Windows based Encryption as it's SLOW.....

    Personally I would have to ask why THIS HR department has to be different, and doesn't trust their IT Staff to remain professional...? Every organisation I ever worked for has point-blank turned down flat ANY request from ANY department which would deny IT staff the full access they need to be able to support them.

    What's going to happen when they want a currupt document "fixing"?


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Share Permissions

      How about offering them auditing of file access, so they can check who has accessed their folders.

      You could explicitly deny access to non-HR groups (and still be able to take ownership in emergencies). Remind them that backups might not work if you are too restrictive with permissions.

      Why not get them to password protect individual files (Word, Excel etc) and then they have control, also responsibility if they lose passwords.

      Tom
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Share Permissions

        agree here with stonelaughter, I would say if we lock it down so tight if you have problems accessing it then we won't be able the directories to see what the problem is

        as they said it's a question of trust...........

        Comment


        • #5
          Re: Share Permissions

          I don't have any permissions on the HR and management shares at work and it cause me no problems.

          Remember you can always take ownership of the folders if you need to.

          Comment


          • #6
            Re: Share Permissions

            LOL - you can TS onto the box and look at it that way, if it's only locked down with share permissions...


            Tom
            For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

            Anything you say will be misquoted and used against you

            Comment


            • #7
              Re: Share Permissions

              Originally posted by Stonelaughter View Post
              LOL - you can TS onto the box and look at it that way, if it's only locked down with share permissions...
              Depends on how the folders have been setup.

              Here we only have the HR department with the full control option. No one else has any access rights whatsoever to the folder.

              As an administrator i can then go and take ownership and add myself or the IT team to gain access.

              Back to the original question.

              1. Yes you can do this by removing all other users and groups from the NTFS permissions on the folder.

              2. Not that i'm aware of other than using some sort of encryption as has been mentioned. This though i can imagine could cause problems.

              Comment


              • #8
                Re: Share Permissions

                Thanks for the responses, looks like encryption is the way.

                Personally, I feel its more a management issue than a technical one, there should be trust with the IT dept enough for the data to be managed appropriately, and if there isnt then theres something wrong..

                Auditing is an option, but I seriously doubt that the logs would ever be looked at myself.

                I was hoping this would simply drop off the radar, but its been hanging around like a bad smell for a while now and I think HR want to act on it.

                Comment


                • #9
                  Re: Share Permissions

                  Would it there be Microsoft's EFS? If so, you should take all the measures needed to ensure you will never loose your data. This article should help.
                  And see also this article, dealing with the meaning of EFS itself.
                  Use the EFS solution only after you (both you and your HR department clients) are certain you understand the full implications of it. Even reseting the password for a user that forgot it will make his/her encrypted files unusable, unless you prepared yourself from the beginning.
                  I myself don't use encryption, so can't really give you all the good advices, but I heard of so many people who lost files this way.
                  I don't want to scare you or make you change your mind, only to warn you about the implications of this move.
                  Good luck and keep the forum posted.

                  Sorin Solomon


                  In order to succeed, your desire for success should be greater than your fear of failure.
                  -

                  Comment


                  • #10
                    Re: Share Permissions

                    Desktop Authority from Scriptlogic is able to do that. It has functions to build a list of rules for politics to be applied to chosen principals. It's possible to create boolean expressions right with GUI. I can define permissions list and assign needed permission to all users BUT another. In your case I would add two groups and set deny permissions to say Domain Users but HR. If these are containers you also can choose them and restrict access to all users within LA OU except for HR group in it. Then I would suggest to use system.adm administrative template and hide drives for users you want restict to prevent thier access to specified drives.

                    Comment

                    Working...
                    X