In our agency it would depend on where the share will reside.  We have a
central office and we have offices.  The local offices have their own
non-domain admin IT people that can create shares on their servers as
necessary.  The domain admin team handles the big central office shares.
In theory, a department manager puts in a request for a new share, and who
needs access to it.  A group is created and members added.  Additional
membership requests must be approved by the dept manager that made the
original request. 

 

This all sounds reasonable until we realized that nobody wrote down who
requested what when.   I started at least putting comments on the shares and
groups to help keep track of this.  We stopped allowing individuals to have
access.   Sounds like you're doing what I had started to do. 

 

We were also a Novell shop, so some of this was "leftovers". 

 

I am no longer on that domain admin team, having moved to one of the
offices.  My predecessor was completely clueless about shares, permissions,
etc. and I'm still bumping in some odd workarounds.    

 

From: David Lum [mailto:[email protected]] 
Sent: Thursday, February 09, 2012 8:04 AM
To: NT System Admin Issues
Subject: RE: Who in your org creates server shares?

 

This was one _HUGE_ plus of the existing ACL's being wiped out - we
previously had hundreds (yes, multiple hundreds, lol) of "this user is on
this folders ACL list" because the SD guys were never told that if a folder
needed a specific ACL they needed to create a group and assign the group to
the new folder's ACL. I ran an ACL report on our primary file share a couple
years ago and almost needed a Depends because of what I found

 

After last week's ACL wipeout debacle I had a quick 30 minute meeting with
them explaining:

1.       If a folder needs a different permission set than the one above it,
create a group, assign that group to the folder and turn off inheritance if
necessary (yes, even if it's just one user).

2.       Groups for this should be Domain Local and no other kind

3.       In the description in AD, be explicit about where that group has
access to - at any time someone should be able to look at the description an
know exactly what that group does/has access to.

 

This was followed by looking at the groups in AD and showing them what's in
there. As I am diligent (some say anal, as I will fire e-mails to SD and SE
teams when I see unsatisfactory info like no or crappy descriptions) about
using the description field in AD I was able to show them that "see, with
what's in AD we can recreate the ACL structure just by looking at groups".
Most Pre-Lum era groups had blank fields and others simply had "For access
to files" and they seemed to understand once I showed them, as I heard more
than one "Aaahhh.."

 

Based on the feedback here - thanks guys! - I am going to change our process
so SD no longer creates shares, only server folks.

 

Dave

 

From: Michael B. Smith [mailto:[email protected]] 
Sent: Wednesday, February 08, 2012 3:24 PM
To: NT System Admin Issues
Subject: RE: Who in your org creates server shares?

 

That sounds much better.

 

Regards,

 

Michael B. Smith

Consultant and Exchange MVP

http://TheEssentialExchange.com

 

From: Steven Peck [mailto:[email protected]] 
Sent: Wednesday, February 08, 2012 6:12 PM
To: NT System Admin Issues
Subject: Re: Who in your org creates server shares?

 

A 'Group' can get a share.  An individual cannot.  In general, a 'project'
also cannot get a share.  Group shares have a form (ticket) and
justification and two owners and are tied to an AD group membership for
permission access (read_only, create) and a quota.

 

A project is welcome to a SharePoint site.

On Wed, Feb 8, 2012 at 2:54 PM, Michael B. Smith <[email protected]>
wrote:

I'm shocked that your end-users get to decide what shares they want.

 

How do they justify them?

 

Regards,

 

Michael B. Smith

Consultant and Exchange MVP

http://TheEssentialExchange.com

 

From: David Lum [mailto:[email protected]] 
Sent: Wednesday, February 08, 2012 5:46 PM
To: NT System Admin Issues
Subject: Who in your org creates server shares?

 

Do you guys have the "server" guys create the actual shares, or is it the
desktop support guys? 

 

I ask because for end users our desktop currently folks do it, but we are
moving to Win2K8 R2 DFS so share creation is a little different but
certainly not complex enough that they can't do it. Just wondered how you
guys handle it.

David Lum 
Systems Engineer // NWEATM
Office 503.548.5229 // Cell (voice/text) 503.267.9764

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

Reply via email to