|
Posted by Roger Abell [MVP] on November 18, 2006, 12:50 am
Please log in for more thread options
Adrian,
You have a few questions here.
First, yes, you can audit. There are two steps. First, one the
storage machine in the Audit policy one must enable "Audit
object access". This step enables one to set auditing on and
for the specific things one wants audited. Next, one needs to
go to what should be audited (or a higher level in the parental
path) and set auditing. For NTFS, this is accessed in the normal
NTFS permissions dialog by selecting Advanced view and then
clicking into the Audit tab. Do not ask for more than you want
as a lot of security event log records can be generated. In your
case you might consider settings Audit for successful delete of
folders (use edit to select This folder and subfolders) by Everyone.
Next, you could use different NTFS permissions so that non-admin
accounts are not granted Delete for the folders that should not be
moved (by what you show they currently are granted that).
Now, if you determined that in
.\root
.\root\dept1
.\root\dept1\fixedA
.\root\dept1\fixedA\sub1
.\root\dept1\fixedA\sub2
etc
.\root\dept1\fixedB
etc
.\root\dept1\something1
.\root\dept1\something2
.\root\dept2
.\root\dept2\fixedA
etc
the folders dept1, dept1\fixedA,dept1\fixedB should
not be movable (deletable) but the other dept1 related
folders should be (are user generated), then one would
set the NTFS permissions on those non-movable folders
so that non-admins could not delete them (using the edit
capability within the advanced view to select "This folder
only" for a List grant, and using "Subfolders and files" for
their modify grant).
What you would discover after this is that some user will
come along and "move" one of these folders and the content
will get moved (they have the right to move much of the
content) but then their "move" will fail when it attempts to
move the "fixed" folder. The result is that there is a copy
whereever they "moved" to and the moved-from "fixed"
part is still there but empty of movable parts. If they can
read and delete things they can do this and there is not much
(short of one-on-one user enlightenment) you can do about it.
Roger
> Hi Guys,
>
> (Windows 2000 Domain, all servers 2000 standard.)
>
> We have a folder called "Management" which contains a subfolder for each
> department 5 in all. Each Deparment folder then is again divided into 7
> further subfolders, each of which is again divided into further subfolders
> ..
> anyway you get the picture.
>
> This is the central file storage location and structure.
>
> Twice over the last 3 months, these subfolders have been moved into
> different departments subfolders essentially getting lost in the system
> and
> have to be found and then moved back into position.
>
> When I run ("cacls "R:\CENTRAL SERVICES " > c:\problem.txt) the output I
> get
> is the following.
>
> R:\CENTRAL SERVICES
> NT AUTHORITY\Authenticated Users:(OI)(CI)(special access:
> DELETE
> READ_CONTROL
> SYNCHRONIZE
>
> FILE_GENERIC_READ
>
> FILE_GENERIC_EXECUTE
> FILE_READ_DATA
> FILE_READ_EA
> FILE_EXECUTE
>
> FILE_READ_ATTRIBUTES
>
> NT AUTHORITY\Authenticated Users:(OI)(CI)R
> MyDomain\Domain Admins:(OI)(CI)F
>
> Anyway I can Audit who or what is moving the folders? and is it possible
> to
> lock these folders into place so they effectively cant be moved but the
> users
> can still have full access to the subfolders?
>
> Thanks
| 
XML Sitemap