That's more or less the way I've always done file permissions. As long as you don't have anyone getting creative (my boss springs to mind) it always works pretty flawlessly, and with a minimum of admin
YMMV 2009/7/16 Tom Miller <tmil...@hnncsb.org> > It took me a while to get used to it too, and some folks on this list > provided suggestions. My biggest issue what that I didn't want many shares > under a root folder such as f:\deptdata\. This is important here, since we > are migrating file and print to Windows from a non-Windows system. > Presently staff have rights (Novell world) to whatever folder they need > under a root data directory. I needed to retain that and retain drive > mappings, since some of our applications (Quicbooks - yuck) point to > specific letter paths. > Here's what works for me: > 1. Create root-level share such as servername\data (this is for our > departmental folders). I'll call this "DATA" > 2. Set share persm on "data" for everyone as "full" > 3. NFTS perms: Select NTFS, Advanced, and uncheck "include inheritable > permissions". Select Remove at the next dialog box. Add Administrators > back as full control, creator owner back as full control (this folder, > subfolders and files), system, full control (this folder, subfolders and > files) > 4. Still in NFTS perms: add authenticated users, set to list folder/read > data, this folder, subfolders and files. ABE should be should be enabled. > 5. Then in Explorer browse to the (in my case departmental) folder, and > give the AD DS group the appropriate access perms. > > Seems like a lot of steps, but it avoids extra drive mappings, since some > users have access to several parallel folders. I'm doing a bunch of folder > migrations today, so if my notes are not exact I'll post an update. I > might have missed a step. > > If anyone has an easier method please share the wealth. > > > > Tom Miller > Engineer, Information Technology > Hampton-Newport News Community Services Board > 757-788-0528 > > >>> Miller Bonnie L. <mille...@mukilteo.wednet.edu> 7/15/2009 12:41 PM >>> > > So, I’ve been trying REALLY hard to just get used to UAC with WS08, but now > that we have some actual file servers coming online, using windows explorer > to assign permissions is driving me absolutely batty. > > > > Example: While logged on with a domain admin account on a WS08 SP2 member > server, I create a folder on the root of the hard drive (let’s call it > E:\Files). Then, we remove inherited permissions and strip the list down to > administrators and system full, and sometimes add domain admins with full, > since that is the group here who can work with user files. Then, we assign > the permissions for domain groups who need access. Folder can be shared out > with Everyone Full, but the sharing isn’t really part of the problem. > > > What I’ve listed above, which is fine on WS03, never seems to be enough > permission for UAC, and I’ll get “access denied” errors when trying to apply > permissions. If I add my account explicitly (the domain admin I’m logged on > as), it then works. But if there is a subfolder (let’s say > E:\Files\Butterflies) that I’m not added onto, then applying higher level > permissions will make it stop and bark about permissions for that > subfolder. There can be a lot of subfolders, and it stops on each one. > > > > Leaving the “everyone” permissions or creator owner on there when setting > up the folder seems to help sometimes, but then you end up with more > permissions than we want on something, and with creator owner there seem to > be added permissions. Explorer.exe can’t be run in “compatability mode” so > I can’t set it to run elevated, but I find that if I run it as administrator > I seem to still have problems—it’s almost like each time you change the > focus in explorer it re-evaluates your credentials. > > > > Do other people have this trouble, and if so, *what are you doing to > handle this?* Here are some options I see: > > 1) Assign explicit permissions for administrative accounts on all > files and folders—yikes! Would this work with a domain group, as long as > it’s not domain admins (or something else in administrators)? > > 2) Log on with THE local administrator account when we need to work on > permissions. (Yuk, getting prompted for domain credentials every time we > need to browse the domain to add a group. Also bad having multiple admins > logging on the same account all the time). > > 3) Suck it up and wait for R2, because they’ve made this “better” > somehow? > > 4) When creating a folder, leave permissions at the “default”. Add > groups that need access, and restrict the share-level permissions to just > those groups (another yuk, especially since we are really getting away from > sharing out every folder). > > 5) Something else? I was reading up on UAC on technet ( > http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx)<http://technet.microsoft.com/en-us/library/cc709691%28WS.10%29.aspx%29>, > but I’m not sure if I could gain or lose anything by doing something like > disabling admin approval mode or changing the elevation prompt for > administrators. I’m concerned that this might really negate the security > benefit of having UAC in the first place on a server. > > 6) Turn off UAC—honestly, I really don’t want to do this unless there > is no other option. > > > > -Bonnie > > > > > > > Confidentiality Notice: This e-mail message, including attachments, is > for the sole use of the intended recipient(s) and may contain confidential > and privileged information. Any unauthorized review, use, disclosure, or > distribution is prohibited. If you are not the intended recipient, please > contact the sender by reply e-mail and destroy all copies of the original > message. > > > > > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." http://raythestray.blogspot.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
