Hello All,
I need some advice on what I previously thought was a straightforward admin
task, or at least some insight on what other admins are doing out there. We
basically have departmental shares on a win2k srvr file server. Permissions
are usually set on subfolders of the main share as:
admin>full control
domain admins>change (read/write)
department X>change
misc>read
In a nutshell, i would like each department user to have the ability to
create subfolders and files, but not change the permissions on the
respective folder itself. I know there are tons of 'advanced' options, but
we still have NT workstations on the network, so i am leary of doing
advanced ntfs5 permissions.
If we give, say, finance users, change access to their folder, cant they, in
theory, change permissions at their departmental folder? I have found that
certain users with change access to folders (whether intentionally or not)
have inappropriately given the everyone group read or change access to the
entire folder.
ALSO...what folder level is everyone drilling down to as far as allowing
explicit access? For example, I get requests all the time such as 'can you
give Jane read access to finance\accounting\blah\blah.' We usually stick to
one folder level deep otherwise we tell the users to move the file to a less
secured folder. Wouldnt I have to give user Jane explicit read at each
folderlevel if she was in an otherwise denied group/context, i.e. only had
access to the finance folder? Wondering if there is a slick method or util i
might be missing...
thanks and sorry for the wordy post!
Thanks in advance...
|
Similar Threads
