should apply organization strategy. The organization strategy recommended by
Microsoft is A-G-DL-P strategy and variants, like A-G-U-DL-P, A-G-G-DL-P,
A-G-L-P
A-G-DL-P and A-G-L-P
Put accounts (A) into Global Groups (G).
Put Global Groups (G) into Domain Local Groups (DL) if the resources reside
on Domain Controllers.
Or, put Global Groups (G) into Local Groups (L) if the resources reside on
Member Servers.
Assign permissions on resources to DL or L
IOW,
Use Global groups for grouping user accounts.
Use DL and L groups to assign permissions to on the resource.
A-G-G-DL-P, A-G-U-DL-P
This is group nesting, available on Domain functional level "Windows 2000
native" and later.
G-G means that one Global Group is a member of another Global Group
G-U means that a Global Group is a member of Universal Group.
Universal Groups are usualy used when you have more than one domain, but SBS
and Exchange also use Universal groups a lot.
Example:
You have domains Contoso and Adatum
You create groups:
U_Enterprise_Managment
G_Contoso_Management
G_Adatum_Management
DL_Management_Documentation_FullControl
Alice is a manager in Adatum, make her a member of G_Adatum_Management.
Bob is a manager in Contoso, make him a member of G_Contoso_Management.
You nest groups:
U_Enterprise_Managent contains members:
G_Contoso_Management
G_Adatum_Management
DL_Management_Documentation_FullControl contains members
U_Enterprise_Managment
You share a folder for ‘Management Documentation’
Set permissions:
Remove "Everyone", "Authenticated Users" and others
Add DL_Management_Documentation_FullControl – Full Control permissions
You may add read permissions for backup service.
You would procede with the same logic for, let’s say ‘xyz team members’ who
would have read permissions and so on.
It is also a good practice to adopt naming convention similar to the above
example.
"Pegasus [MVP]" <> wrote in message
news:#…
>
> "Barkley Bees" <> wrote in message
> news:uza%…
>> We are planning to rework our NTFS permissions for one of our large file
>> servers (~3 TB of data – Server 2003 x64 Std Edition). This will involve
>> somewhat complex permission changes of nested folders and files many
>> levels deep. At the top level things are well structured but it turns
>> into a nightmarish spider-web the deeper down. Regardless of that we have
>> mapped out the necessary NTFS and share setting changes for this project.
>>
>> The question that remains, however, is what is the best way to do this?
>> Possible options:
>>
>> 1. Windows explorer (manually editing the NTFS settings).
>> 2. SubinACL?
>> 3. XCACLS?
>> 4. ScriptLogic Security Explorer
>> (http://www.scriptlogic.com/products/security-explorer/). How pricey is
>> it?
>>
>> Also, during a NTFS setting change of a large amount of files and
>> folders, is there much of an impact on the server (ie: will users notice
>> while they are accessing files?). We do plan to perform the changes on
>> Friday evenings and over the weekends of course. =)
>>
>> I realize that no matter what option(s) we go with that this is a
>> daunting task that will take some time to complete, as such we have
>> broken it up into phases.
>> I appreciate any feedback or advice on this matter from those who have
>> experience in this area.
>
> I would use cacls.exe. Its /T switch lets you process whole folder trees
> and the /C switch lets you continue if errors occur. You should pipe its
> output to a text file so that you can check for errors, e.g. like so:
>
> cacls d:\UserFiles /t /e /c /g JSmith:F ABarkley:R /r APeters /d JBrown
> 1>c:\cacls.txt 2>&1
>
> This is a disk-intensive operation and users may notice a sluggish
> response. Check your command on a small folder before going ahead.
>
