kbrot.blogg.se

#Testout lab 6.3.9 configure share permissions full

This approach centralizes the administration of share permissions. Have users log on using domain user accounts rather than local accounts.For example, if a you need to give someone Read/Write permissions for all of the \Finance folder but not \Finance\Budget, you're gonna have a bad time later. If something would break inheritance, then it either needs to move up a level or you need to reassess who's got what permissions on the parent folder. There will be a few folders where this may be necessary, but generally avoid it. Avoid breaking permissions inheritance as much as possible.Create a Global Deny group so that when employees leave the company, you can quickly remove all their file server access by making them members of that group.Remove the Everyone permission from every resource except the global folder designated for file exchanges.For example, if users need only to read information in a folder and not to change, delete or create files, assign the Read permission only. Assign the most restrictive permissions that still allow users to perform their jobs.Modify rights should be all that's necessary for most users.

Full Control enables users to change NTFS permissions, which average users should not need to do.

Avoid giving users the Full Control permission.

People (user accounts) -> Role (AD global group) -> Permissions (AD domain local group) -> Asset (file or folder on a file server) As you expand your network and add different assets and areas of access to the role, you'll be able to easily see what assets a role can access. What you have now done is tied an asset to a permission, and the permissions to a role. Add this global group to the domain local group fileserver1_HR_read, and then add user accounts to the global group HR.

Create a global group in AD named HR for your HR people.

Use these groups to set NTFS permissions to the appropriate user rights.

fileserver1_HR_fullcontrol (Full Control).

fileserver1_HR_modify (Read and Modify).

For this share, create the following domain local groups in your AD with the permissions shown:.

For example, suppose you have a share named HR on fileserver1.

Configure NTFS permissions for the assets, assign roles to those permissions, and assign people to roles.

It's far easier to manage 200 groups than 2,000 one-off permissions. Don't assign NTFS permissions to individuals, even if you have to create hundreds of groups.

Use Active Directory groups everywhere.

Create a file server permissions policy that clearly defines your permissions management process.

NTFS Permissions Management Best Practices.

#Testout lab 6.3.9 configure share permissions full