On Thu, Sep 27, 2012 at 11:17 AM, Michael Leone <oozerd...@gmail.com> wrote: > On Thu, Sep 27, 2012 at 1:04 PM, Kurt Buff <kurt.b...@gmail.com> wrote: > >> The good thing about this is that you can then populate those >> descriptive groups with the base groups for departments or workgroups, >> and when someone moves to a new position, you remove them from their >> no longer relevant groups, and add them to the newly relevant groups. >> So, for instance, when Ralph in accounting moves from AP to AR, you >> remove him from the AP group and add him to the AR group, and he >> automatically inherits all of the permissions needed, while losing the >> permissions that no longer apply. This also applies to >> cross-functional groups, which can be viewed as sort of >> meta-departements. > > What we also do - we have a group for department members, and a group > for non-department members who need access to another department's > files. > > So we have "Dept-Finance", and those folks get RWXD access to the > Finance folder hierarchy. And we have another group "Finance_RO", > which is used as security to specific sub-folders of Finance, by users > not in the Finance department but who happen to need access to some > files in the Finance folder hierarchy (like reports or budget files or > project status reports, etc) > > So everybody gets a "Dept-somewhere", which is assigned via drive > mappings in a GPO. If you need access into Finance, and you are not a > member of the Finance dept, you map your own drive letters. > > Yeah, I have a whole bunch of groups, effectively at least 2 per > department - one for department members, one for non-department > members. Sometimes more, as we have _RWXD and _RO groups, depending, > etc.
Exactly. In addition, I have specified on the file server that permissions will not be applied further down the directory tree than two levels underneath a share. Thus, on the D: drive on the file server, there is a share called Departments. Permissions will only be applied to \\fileserver\Departments\Finance\PublicDocuments or \\fileserver\Departments\Finance\PrivateDocuments - if a directory needs different permissions, it gets created as a sibling at that level, such as \\fileserver\Departments\Finance\ManagerForms. Saves a lot of headache. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin