Users into domain groups, folders permissioned with local groups, local groups have the domain groups added. Having a user be a member of 10-20 groups is no big deal.
So folder A will have a two local groups permissioned on it; foldernameRW and foldernameRO. The required domain security groups are then added to one of those two local groups. That way you also only have two local groups permed on the folder. Doing it this way means you never have to reapply permissions to the file structure, just change group memberships. I've also used ABE (access-based enumeration) to limit what people can see in that folder structure. *********************** Charlie Kaiser [email protected] Kingman, AZ *********************** > -----Original Message----- > From: Jason Morris [mailto:[email protected]] > Sent: Friday, March 19, 2010 6:57 AM > To: NT System Admin Issues > Subject: NTFS Permissions Questions > > I'm looking at cleaning up some of our more ornery areas and > want to know if anybody has some opinions/real world > experience they'd be willing to share. From my perspective > everything is working ok speed-wise but I want to know what > other people are doing. > > > > We have a series of folders in one share that not all users > with access to the share will be utilizing. Some will have > "Folder A / Folder B / and Folder C" but not "Folder D / > Folder E / and Folder F". And others will be mixing and matching. > > > > I prefer to give groups permissions to the folders and put > the users in the groups. But this might mean there will be 10 > groups on Folder A. This might also mean User George will be > a member of 20 groups. This is how I have it now and it's > working ok speed-wise. (it's ornery because we've had > requests here and there for individuals to access a folder > and we've had to tweak security for the individual user) > > > > Is it better/faster to have groups checked in the ACL or have > it some other way? > > > > Inquiring minds want to know. > > ------------------------------------------ > > Jason Morris > > MJMC, Inc. > > P: 708-225-2350 > > F: 708-943-9015 > > > > > > > > -------------------------------------------------------------- > ---------------------------- > The pages accompanying this email transmission contain > information from MJMC, Inc., which is confidential and/or > privileged. The information is to be for the use of the > individual or entity named on this cover sheet. If you are > not the intended recipient, you are hereby notified that any > disclosure, dissemination, distribution, or copying of this > communication is strictly prohibited. If you received this > transmission in error, please immediately notify us by > telephone so that we can arrange for the retrieval of the > original document. > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
