RE: [ActiveDir] permissions requests

[Burns, Clyde]

Title: RE: [ActiveDir] schema updates

The easy question... "I’m also interested in how people deal with local groups when a server needs to be migrated."   I use an excellent product from www.smallwonders.com called secure copy. It does global groups, local groups, ntfs perms, and shares. Has a gui and cli capabilities to suit your tastes. Its made my job migrating data between servers a piece of cake. You just need a copy on the source and destination server. They let you download eval copies if you want to check it out.   As for how to streamline "people are forever requesting that so-and-so have access to this one folder so they can do this one thing."...   I am sure there are a number of ways to streamline how to have very granular NTFS permissions like what you describe but here is how I solved a similar situation. Using windows 2000 native mode,Exchange 2000 and the Outlook client. Give all users involved email accounts.Then create (mail enabled) universal security groups that grant NTFS modify rights to specific folders. I then give "read and write members" permissions of those universal security groups to whoever is in charge of the department. They control who has modify access to the folders by just adding / removing the users name to Outlook distribution lists aka the universal security groups. Other than having to create more groups and folders occasionally I maintain a standard for the folders while delegating the day to day access changes to a few power users. There's no learning curve on their part since (in our environment) the concept of Outlook distribution lists are very familiar to them.   Clyde Burns From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, January 30, 2004 10:05 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] permissions requests I have to mention this up front – the solution to this can’t be a $25,000 admin tool J We’ve got an issue I’ve mentioned in passing before regarding permissions.  We tend to assign global groups NTFS permissions to files on our servers, and leave Everyone modify share permissions intact (domain admin full control).  This is because one or two people here have been burned with the Users -> Global -> Local -> Resources practice when they had to move to a new file server (open to suggestions on that).  Anyway changing the entire security structure is not an option right now, and I’m here doing mostly SMS so… What happens is contractors come and go in development, and people are forever requesting that so-and-so have access to this one folder so they can do this one thing.  Not like so-and-so is working on the BigDev Project and needs to be in the BigDev group.  And only Network Services group has access to change permissions.  Here is an example of the requests we get (names have been changed to protect the innocent):   Give Tom Cruiser read/write access to the following and change George Doublya access to read/write access to the following (remove any other access George Doublya has to other subfolders within these shares besides what is listed below):   fileserver\support\how to fileserver\support\MCI fileserver\support\Menu Exports fileserver\support\Pos-DataCD fileserver\support\Zipdata sqlserver11\help\Tablechart sqlserver11\help\Franchise   Also, give George Doublya read/write permissions to fileserver\opsserv and all subfolders.   So to start with, I have no idea what function either of these people do.  There is not a group that matches the rights they need, and adding them to a global group can give them other rights, who knows what all that might be (answer:no one)  least of all the person making the request.  Such knowledge is unnecessary for them, and beneath them.    So what I have to do first is find the users’ logon names (enter a script I wrote for something completely different).  Then I try to find which groups they are a member of (q’n’d way is getuserinfo – thanks Joe).  Then I pull up Computer Management with \\fileserver and go to Shares, check the share permissions (some of them still have share level permissions).  Then I pull up the actual directory in explorer, check NTFS permissions.  I’m looking for common groups.  If something is obvious to map to a group, I add that.  So I open ADUC.  I know dsmod can do this but that means lots of DN typing…   This is all very labor intensive, inefficient, and scary.  So please, offer any and all suggestions as to how to streamline this, how to better use command lines for this, any scripts someone might have found or other best practices for some of these tasks.  I’m also interested in how people deal with local groups when a server needs to be migrated.  And any suggestions as to how we might get from here to a more efficient security model without disrupting the users (big no-no).  Sorry so long… and thanks   Rich -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. This message is confidential, intended only for the named recipient(s) and may contain information that is privileged or exempt from disclosure under applicable law. Any patient health information must be delivered immediately to intended recipient(s). If you are not the intended recipient(s), you are notified that the dissemination, distribution or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at either the e-mail address or telephone number above and discard this e-mail. Thank you.