Announcement

Collapse
No announcement yet.

Applying ADGLP for NTFS permissions - need advice

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Applying ADGLP for NTFS permissions - need advice

    I am not sure if this is the right forum - I thought it may also be relevant to security or Active Directory - but I will try here. I am aware of the ADGLP best practice when it comes to ADDS and NTFS permissions. I use this in my current environment. However, it is used sparingly - we have a fairly flat and "wide open" network when it comes to permissions. It was like this when I got here, and is a project to correct prior sins at some point in the future.

    That being said - I have a file server that is one of our main file shares. Our "G" drive if you will. I have just been asked to set up the following permission to a newly created folder:

    NewFolder
    ----SubFolder1
    --------N Subfolders / Files
    ----SubFolder2
    --------N Subfolders / Files
    ----SubFolder3
    --------N Subfolders / Files
    ----SubFolder4
    --------N Subfolders / Files
    ----SubFolder5
    --------N Subfolders / Files
    ----SubFolder6
    --------N Subfolders / Files
    ----SubFolder7
    --------N Subfolders / Files
    ----SubFolder8
    --------N Subfolders / Files

    What I am being asked is the following:

    A) For this particular folder, only Admins can have create / delete / move both folders and files (This is completed. I created a domain local group for this ACL_Server Path To Folder_Full Control, and then a Global security group ThisShare Admin and made it a member of the ACL_Server Path To Folder_Full Control. On the "NewFolder" (from above), I modifed the permissions to remove inheritable, and assign ACL_Server Path To Folder_Full Control group full control.

    B) There will be groups of people that will need access to one or more of the SubFolder(1-. Maybe only 1, maybe more than 1. This access will allow them the ability to create, remove, edit files only. Nothing with folders or subfolders. So my question here is - using the ADGLP best practice, should I then create a domain local security group for each of these top level sub folders?? And then global security groups to go in each of these domain local security groups??

    C) I know of one instance currently, but I am sure this will change where a small number of users need access to NewFolder-->Subfolder2-->SubfolderA - again, files only, no folder creation or deletion here. As with "B" - would I create a domain local security group for this (and any other sub-sub folders), and matching global security groups?

    I have to imagine there is a better way here and I just can't wrap my head around it.

    Thanks in advance

    sb
Working...
X