In our agency it would depend on where the share will reside. We have a central office and we have offices. The local offices have their own non-domain admin IT people that can create shares on their servers as necessary. The domain admin team handles the big central office shares. In theory, a department manager puts in a request for a new share, and who needs access to it. A group is created and members added. Additional membership requests must be approved by the dept manager that made the original request.
This all sounds reasonable until we realized that nobody wrote down who requested what when. I started at least putting comments on the shares and groups to help keep track of this. We stopped allowing individuals to have access. Sounds like you're doing what I had started to do. We were also a Novell shop, so some of this was "leftovers". I am no longer on that domain admin team, having moved to one of the offices. My predecessor was completely clueless about shares, permissions, etc. and I'm still bumping in some odd workarounds. From: David Lum [mailto:[email protected]] Sent: Thursday, February 09, 2012 8:04 AM To: NT System Admin Issues Subject: RE: Who in your org creates server shares? This was one _HUGE_ plus of the existing ACL's being wiped out - we previously had hundreds (yes, multiple hundreds, lol) of "this user is on this folders ACL list" because the SD guys were never told that if a folder needed a specific ACL they needed to create a group and assign the group to the new folder's ACL. I ran an ACL report on our primary file share a couple years ago and almost needed a Depends because of what I found After last week's ACL wipeout debacle I had a quick 30 minute meeting with them explaining: 1. If a folder needs a different permission set than the one above it, create a group, assign that group to the folder and turn off inheritance if necessary (yes, even if it's just one user). 2. Groups for this should be Domain Local and no other kind 3. In the description in AD, be explicit about where that group has access to - at any time someone should be able to look at the description an know exactly what that group does/has access to. This was followed by looking at the groups in AD and showing them what's in there. As I am diligent (some say anal, as I will fire e-mails to SD and SE teams when I see unsatisfactory info like no or crappy descriptions) about using the description field in AD I was able to show them that "see, with what's in AD we can recreate the ACL structure just by looking at groups". Most Pre-Lum era groups had blank fields and others simply had "For access to files" and they seemed to understand once I showed them, as I heard more than one "Aaahhh.." Based on the feedback here - thanks guys! - I am going to change our process so SD no longer creates shares, only server folks. Dave From: Michael B. Smith [mailto:[email protected]] Sent: Wednesday, February 08, 2012 3:24 PM To: NT System Admin Issues Subject: RE: Who in your org creates server shares? That sounds much better. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Steven Peck [mailto:[email protected]] Sent: Wednesday, February 08, 2012 6:12 PM To: NT System Admin Issues Subject: Re: Who in your org creates server shares? A 'Group' can get a share. An individual cannot. In general, a 'project' also cannot get a share. Group shares have a form (ticket) and justification and two owners and are tied to an AD group membership for permission access (read_only, create) and a quota. A project is welcome to a SharePoint site. On Wed, Feb 8, 2012 at 2:54 PM, Michael B. Smith <[email protected]> wrote: I'm shocked that your end-users get to decide what shares they want. How do they justify them? Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: David Lum [mailto:[email protected]] Sent: Wednesday, February 08, 2012 5:46 PM To: NT System Admin Issues Subject: Who in your org creates server shares? Do you guys have the "server" guys create the actual shares, or is it the desktop support guys? I ask because for end users our desktop currently folks do it, but we are moving to Win2K8 R2 DFS so share creation is a little different but certainly not complex enough that they can't do it. Just wondered how you guys handle it. David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
