|
 microsoft.public.windows.server.security - Supporting MS Windows network? Read here before it's too late!
|
|
If you were Registered and logged in, you could reply and use other advanced thread options
|
Posted by Barkley Bees on September 15, 2009, 3:42 am
We are planning to rework our NTFS permissions for one of our large file
servers (~3 TB of data - Server 2003 x64 Std Edition). This will involve
somewhat complex permission changes of nested folders and files many levels
deep. At the top level things are well structured but it turns into a
nightmarish spider-web the deeper down. Regardless of that we have mapped
out the necessary NTFS and share setting changes for this project.
The question that remains, however, is what is the best way to do this?
Possible options:
1. Windows explorer (manually editing the NTFS settings).
2. SubinACL?
3. XCACLS?
4. ScriptLogic Security Explorer
(http://www.scriptlogic.com/products/security-explorer/ ). How pricey is it?
Also, during a NTFS setting change of a large amount of files and folders,
is there much of an impact on the server (ie: will users notice while they
are accessing files?). We do plan to perform the changes on Friday evenings
and over the weekends of course. =)
I realize that no matter what option(s) we go with that this is a daunting
task that will take some time to complete, as such we have broken it up into
phases.
I appreciate any feedback or advice on this matter from those who have
experience in this area.
|
|
Posted by Pegasus [MVP] on September 15, 2009, 4:14 am
> We are planning to rework our NTFS permissions for one of our large file
> servers (~3 TB of data - Server 2003 x64 Std Edition). This will involve
> somewhat complex permission changes of nested folders and files many
> levels deep. At the top level things are well structured but it turns into
> a nightmarish spider-web the deeper down. Regardless of that we have
> mapped out the necessary NTFS and share setting changes for this project.
> The question that remains, however, is what is the best way to do this?
> Possible options:
> 1. Windows explorer (manually editing the NTFS settings).
> 2. SubinACL?
> 3. XCACLS?
> 4. ScriptLogic Security Explorer
> (http://www.scriptlogic.com/products/security-explorer/ ). How pricey is
> it?
> Also, during a NTFS setting change of a large amount of files and folders,
> is there much of an impact on the server (ie: will users notice while they
> are accessing files?). We do plan to perform the changes on Friday
> evenings and over the weekends of course. =)
> I realize that no matter what option(s) we go with that this is a daunting
> task that will take some time to complete, as such we have broken it up
> into phases.
> I appreciate any feedback or advice on this matter from those who have
> experience in this area.
I would use cacls.exe. Its /T switch lets you process whole folder trees and
the /C switch lets you continue if errors occur. You should pipe its output
to a text file so that you can check for errors, e.g. like so:
cacls d:\UserFiles /t /e /c /g JSmith:F ABarkley:R /r APeters /d JBrown
1>c:\cacls.txt 2>&1
This is a disk-intensive operation and users may notice a sluggish response.
Check your command on a small folder before going ahead.
|
|
Posted by Dusko Savatovic on September 15, 2009, 5:00 am
Apart from "mechanics" (scripts, command line tools, group policy etc), you
should apply organization strategy. The organization strategy recommended by
Microsoft is A-G-DL-P strategy and variants, like A-G-U-DL-P, A-G-G-DL-P,
A-G-L-P
A-G-DL-P and A-G-L-P
Put accounts (A) into Global Groups (G).
Put Global Groups (G) into Domain Local Groups (DL) if the resources reside
on Domain Controllers.
Or, put Global Groups (G) into Local Groups (L) if the resources reside on
Member Servers.
Assign permissions on resources to DL or L
IOW,
Use Global groups for grouping user accounts.
Use DL and L groups to assign permissions to on the resource.
A-G-G-DL-P, A-G-U-DL-P
This is group nesting, available on Domain functional level "Windows 2000
native" and later.
G-G means that one Global Group is a member of another Global Group
G-U means that a Global Group is a member of Universal Group.
Universal Groups are usualy used when you have more than one domain, but SBS
and Exchange also use Universal groups a lot.
Example:
You have domains Contoso and Adatum
You create groups:
U_Enterprise_Managment
G_Contoso_Management
G_Adatum_Management
DL_Management_Documentation_FullControl
Alice is a manager in Adatum, make her a member of G_Adatum_Management.
Bob is a manager in Contoso, make him a member of G_Contoso_Management.
You nest groups:
U_Enterprise_Managent contains members:
G_Contoso_Management
G_Adatum_Management
DL_Management_Documentation_FullControl contains members
U_Enterprise_Managment
You share a folder for 'Management Documentation'
Set permissions:
Remove "Everyone", "Authenticated Users" and others
Add DL_Management_Documentation_FullControl - Full Control permissions
You may add read permissions for backup service.
You would procede with the same logic for, let's say 'xyz team members' who
would have read permissions and so on.
It is also a good practice to adopt naming convention similar to the above
example.
>> We are planning to rework our NTFS permissions for one of our large file
>> servers (~3 TB of data - Server 2003 x64 Std Edition). This will involve
>> somewhat complex permission changes of nested folders and files many
>> levels deep. At the top level things are well structured but it turns
>> into a nightmarish spider-web the deeper down. Regardless of that we have
>> mapped out the necessary NTFS and share setting changes for this project.
>> The question that remains, however, is what is the best way to do this?
>> Possible options:
>> 1. Windows explorer (manually editing the NTFS settings).
>> 2. SubinACL?
>> 3. XCACLS?
>> 4. ScriptLogic Security Explorer
>> (http://www.scriptlogic.com/products/security-explorer/ ). How pricey is
>> it?
>> Also, during a NTFS setting change of a large amount of files and
>> folders, is there much of an impact on the server (ie: will users notice
>> while they are accessing files?). We do plan to perform the changes on
>> Friday evenings and over the weekends of course. =)
>> I realize that no matter what option(s) we go with that this is a
>> daunting task that will take some time to complete, as such we have
>> broken it up into phases.
>> I appreciate any feedback or advice on this matter from those who have
>> experience in this area.
> I would use cacls.exe. Its /T switch lets you process whole folder trees
> and the /C switch lets you continue if errors occur. You should pipe its
> output to a text file so that you can check for errors, e.g. like so:
> cacls d:\UserFiles /t /e /c /g JSmith:F ABarkley:R /r APeters /d JBrown
> 1>c:\cacls.txt 2>&1
> This is a disk-intensive operation and users may notice a sluggish
> response. Check your command on a small folder before going ahead.
>
|
|
Posted by DaveMo on September 16, 2009, 2:04 pm
> We are planning to rework our NTFS permissions for one of our large file
> servers (~3 TB of data - Server 2003 x64 Std Edition). This will involve
> somewhat complex permission changes of nested folders and files many levels
> deep. At the top level things are well structured but it turns into a
> nightmarish spider-web the deeper down. Regardless of that we have mapped
> out the necessary NTFS and share setting changes for this project.
> The question that remains, however, is what is the best way to do this?
> Possible options:
> 1. Windows explorer (manually editing the NTFS settings).
> 2. SubinACL?
> 3. XCACLS?
> 4. ScriptLogic Security Explorer
> (http://www.scriptlogic.com/products/security-explorer/ ). How pricey is it?
> Also, during a NTFS setting change of a large amount of files and folders,
> is there much of an impact on the server (ie: will users notice while they
> are accessing files?). We do plan to perform the changes on Friday evenings
> and over the weekends of course. =)
> I realize that no matter what option(s) we go with that this is a daunting
> task that will take some time to complete, as such we have broken it up into
> phases.
> I appreciate any feedback or advice on this matter from those who have
> experience in this area.
Hi Barkley,
Since you mentioned other products in your query, I hope it's not too
much of a breech of protocol to mention that my company has a product
that likely meets your requirements as well. We are still running an
introductory special that would allow you to use the product for less
then $1000. A bargain if you calculate the number of hours you'll
likely spend with scripts and such.
Find out more at www.securitay.com/products.html.
Good luck with your project whichever way you go.
Dave
|
|
Posted by DaveMills on September 16, 2009, 3:53 pm
>We are planning to rework our NTFS permissions for one of our large file
>servers (~3 TB of data - Server 2003 x64 Std Edition). This will involve
>somewhat complex permission changes of nested folders and files many levels
>deep. At the top level things are well structured but it turns into a
>nightmarish spider-web the deeper down. Regardless of that we have mapped
>out the necessary NTFS and share setting changes for this project.
>The question that remains, however, is what is the best way to do this?
>Possible options:
>1. Windows explorer (manually editing the NTFS settings).
>2. SubinACL?
>3. XCACLS?
>4. ScriptLogic Security Explorer
Check out icacls from W2003 - supports inherited acls
>(http://www.scriptlogic.com/products/security-explorer/ ). How pricey is it?
>Also, during a NTFS setting change of a large amount of files and folders,
>is there much of an impact on the server (ie: will users notice while they
>are accessing files?). We do plan to perform the changes on Friday evenings
>and over the weekends of course. =)
>I realize that no matter what option(s) we go with that this is a daunting
>task that will take some time to complete, as such we have broken it up into
>phases.
>I appreciate any feedback or advice on this matter from those who have
>experience in this area.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
|
This Thread
If you were Registered and logged in, you could reply and use other advanced thread options
Related Posts
Latest Posts
|
|
XML Sitemap
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
> servers (~3 TB of data - Server 2003 x64 Std Edition). This will involve
> somewhat complex permission changes of nested folders and files many
> levels deep. At the top level things are well structured but it turns into
> a nightmarish spider-web the deeper down. Regardless of that we have
> mapped out the necessary NTFS and share setting changes for this project.
> The question that remains, however, is what is the best way to do this?
> Possible options:
> 1. Windows explorer (manually editing the NTFS settings).
> 2. SubinACL?
> 3. XCACLS?
> 4. ScriptLogic Security Explorer
> (http://www.scriptlogic.com/products/security-explorer/ ). How pricey is
> it?
> Also, during a NTFS setting change of a large amount of files and folders,
> is there much of an impact on the server (ie: will users notice while they
> are accessing files?). We do plan to perform the changes on Friday
> evenings and over the weekends of course. =)
> I realize that no matter what option(s) we go with that this is a daunting
> task that will take some time to complete, as such we have broken it up
> into phases.
> I appreciate any feedback or advice on this matter from those who have
> experience in this area.