[ActiveDir] permissions requests

[Rich Milburn]

Title: RE: [ActiveDir] schema updates

I have to mention this up front – the solution to this can’t be a $25,000 admin tool J We’ve got an issue I’ve mentioned in passing before regarding permissions.  We tend to assign global groups NTFS permissions to files on our servers, and leave Everyone modify share permissions intact (domain admin full control).  This is because one or two people here have been burned with the Users -> Global -> Local -> Resources practice when they had to move to a new file server (open to suggestions on that).  Anyway changing the entire security structure is not an option right now, and I’m here doing mostly SMS so… What happens is contractors come and go in development, and people are forever requesting that so-and-so have access to this one folder so they can do this one thing.  Not like so-and-so is working on the BigDev Project and needs to be in the BigDev group.  And only Network Services group has access to change permissions.  Here is an example of the requests we get (names have been changed to protect the innocent):   Give Tom Cruiser read/write access to the following and change George Doublya access to read/write access to the following (remove any other access George Doublya has to other subfolders within these shares besides what is listed below):   fileserver\support\how to fileserver\support\MCI fileserver\support\Menu Exports fileserver\support\Pos-DataCD fileserver\support\Zipdata sqlserver11\help\Tablechart sqlserver11\help\Franchise   Also, give George Doublya read/write permissions to fileserver\opsserv and all subfolders.   So to start with, I have no idea what function either of these people do.  There is not a group that matches the rights they need, and adding them to a global group can give them other rights, who knows what all that might be (answer:no one)  least of all the person making the request.  Such knowledge is unnecessary for them, and beneath them.    So what I have to do first is find the users’ logon names (enter a script I wrote for something completely different).  Then I try to find which groups they are a member of (q’n’d way is getuserinfo – thanks Joe).  Then I pull up Computer Management with \\fileserver and go to Shares, check the share permissions (some of them still have share level permissions).  Then I pull up the actual directory in explorer, check NTFS permissions.  I’m looking for common groups.  If something is obvious to map to a group, I add that.  So I open ADUC.  I know dsmod can do this but that means lots of DN typing…   This is all very labor intensive, inefficient, and scary.  So please, offer any and all suggestions as to how to streamline this, how to better use command lines for this, any scripts someone might have found or other best practices for some of these tasks.  I’m also interested in how people deal with local groups when a server needs to be migrated.  And any suggestions as to how we might get from here to a more efficient security model without disrupting the users (big no-no).  Sorry so long… and thanks   Rich -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.