|
Tough situation. Looks
like the permissions issue got completely out of hand. A consistent policy is
the only way I know of solving this. Either a users has permissions on a
subtree, or he does not. Meddling with in-between permissions is the road to
madness! Permissions are applied through groups that define either certain
folders (or sets of folders), or define a certain functionality. I have no
quick solutions for you, but: Ø
I’m also interested in how people deal with local groups when
a server needs to be migrated Local groups on servers
are no fun. The AGDLP principle applies in multiple domain scenario’s,
because global groups cannot contain members of other domains. Hence the advice
of using local groups. One tool I’ve used to migrate local groups to
other member servers is subinacl. But there is a way to have the best of both
worlds: domain local groups in AD native mode. They may be used
throughout the domain, on DC’s and on member servers. I hope this helps you
some. -- Regards,
Willem Van:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Rich Milburn I have to mention this up
front – the solution to this can’t be a $25,000 admin tool J We’ve got an issue
I’ve mentioned in passing before regarding permissions. We tend to
assign global groups NTFS permissions to files on our servers, and leave
Everyone modify share permissions intact (domain admin full control).
This is because one or two people here have been burned with the Users ->
Global -> Local -> Resources practice when they had to move to a new file
server (open to suggestions on that). Anyway changing the entire security
structure is not an option right now, and I’m here doing mostly SMS
so… What happens is contractors come and go in development, and people
are forever requesting that so-and-so have access to this one folder so they
can do this one thing. Not like so-and-so is working on the BigDev
Project and needs to be in the BigDev group. And only Network Services
group has access to change permissions. Here is an example of the
requests we get (names have been changed to protect the innocent): Give Tom Cruiser
read/write access to the following and change George Doublya access to
read/write access to the following (remove any other access George Doublya has
to other subfolders within these shares besides what is listed below): fileserver\support\how to fileserver\support\MCI fileserver\support\Menu
Exports fileserver\support\Pos-DataCD fileserver\support\Zipdata sqlserver11\help\Tablechart sqlserver11\help\Franchise Also, give George Doublya
read/write permissions to fileserver\opsserv and all subfolders. So to start with, I have
no idea what function either of these people do. There is not a group
that matches the rights they need, and adding them to a global group can give
them other rights, who knows what all that might be (answer:no one) least
of all the person making the request. Such knowledge is unnecessary for
them, and beneath them. So what I have to do
first is find the users’ logon names (enter a script I wrote for
something completely different). Then I try to find which groups they are
a member of (q’n’d way is getuserinfo – thanks Joe).
Then I pull up Computer Management with \\fileserver
and go to Shares, check the share permissions (some of them still have share level
permissions). Then I pull up the actual directory in explorer, check NTFS
permissions. I’m looking for common groups. If something is
obvious to map to a group, I add that. So I open ADUC. I know dsmod
can do this but that means lots of DN typing… This is all very labor
intensive, inefficient, and scary. So please, offer any and all
suggestions as to how to streamline this, how to better use command lines for
this, any scripts someone might have found or other best practices for some of
these tasks. I’m also interested in how people deal with local
groups when a server needs to be migrated. And any suggestions as to how
we might get from here to a more efficient security model without disrupting
the users (big no-no). Sorry so long… and thanks Rich -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. |
Title: RE: [ActiveDir] schema updates
- [ActiveDir] permissions requests Rich Milburn
- RE: [ActiveDir] permissions requests Willem Kasdorp
- RE: [ActiveDir] permissions requests joe
- RE: [ActiveDir] permissions requests Burns, Clyde
