two questions

1) who should control user access rights in a file server? IT or data
owners?

2) where can if find a document that describes all the NTFS setting in
IMMENSE detail? There a dozen little setting I only generally understand.



mydoom.f came visiting 2/24/4, two weeks later my systems are recovered

The virus was effective at deleting many files because I give most people
high permissions on the file server. This is because I do not understand the
settings, nor have I taken the time to ascertain the users actual needs. It
is easier to give them all rights and not worry about it. - I'm worried now.



I proposed to make each department head administer file permissions within
their department's data.



My boss say's "too many cooks spoil the soup"



What is the best practice? It is true the department heads are busy
non-technical accountants, marketers, and nurses. Teaching them the minutia
of NTFS permissions would be challenging. Convincing them to maintain the
permissions concerns me. Further, does Active Directory provide me a way to
allow the Marketing director to add/delete people to/from the
MarketingSecurity group? Then does NTFS allow me to give that same Marketing
director control the exact rights each security group has in a specific set
of directories?



On the other hand, I certainly don't have time. Am I better off hiring a
clerk to maintain AD and NTFS for the entire company?



The second question of course is the technical detail, where can I find good
documentation on NTFS settings? I'll need to know what the settings do
whether I use them, teach them to department heads or a clerk.



I am grateful for direction of the sages.

1. The data owners authorise changes in the permissions that are done by
access control group in the IT department. There should be a process
document which describes granting access to the data and revoking access
too - make sure you handle the suspended/quitting employees situation
properly. Some high-level details can be found at
http://www.sans.org/resources/policies/

2. Actually that's a part of Windows MCSA courseware, which discusses NTFS
permissions, network permissions, groups etc. in detail.

And your boss is right

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-

"Milton Bliss" <(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...
> two questions
>
> 1) who should control user access rights in a file server? IT or data
> owners?
>
> 2) where can if find a document that describes all the NTFS setting in
> IMMENSE detail? There a dozen little setting I only generally understand.
>
>
>
> mydoom.f came visiting 2/24/4, two weeks later my systems are recovered
>
> The virus was effective at deleting many files because I give most people
> high permissions on the file server. This is because I do not understand
the
> settings, nor have I taken the time to ascertain the users actual needs.
It
> is easier to give them all rights and not worry about it. - I'm worried
now.
>
>
>
> I proposed to make each department head administer file permissions within
> their department's data.
>
>
>
> My boss say's "too many cooks spoil the soup"
>
>
>
> What is the best practice? It is true the department heads are busy
> non-technical accountants, marketers, and nurses. Teaching them the
minutia
> of NTFS permissions would be challenging. Convincing them to maintain the
> permissions concerns me. Further, does Active Directory provide me a way
to
> allow the Marketing director to add/delete people to/from the
> MarketingSecurity group? Then does NTFS allow me to give that same
Marketing
> director control the exact rights each security group has in a specific
set
> of directories?
>
>
>
> On the other hand, I certainly don't have time. Am I better off hiring a
> clerk to maintain AD and NTFS for the entire company?
>
>
>
> The second question of course is the technical detail, where can I find
good
> documentation on NTFS settings? I'll need to know what the settings do
> whether I use them, teach them to department heads or a clerk.
>
>
>
> I am grateful for direction of the sages.
>
>

General note - users should probably never have Full Control over any folder
(except roaming profile folder) - Modify is quite enough.

How often are you finding you need to change permissions? I rarely have to
do this - I set up the permissions on the folders when I set up the server,
and rarely need to modify them unless someone wants a new share that is
restricted to a certain group.

Re viruses - you ought to be running good antivirus software (ideally,
centrally managed) that can scan mail, as well as centrally managed server&
workstation AV software. I use Trend products and have them set to update
from Trend every hour....block Yahoo mail., Hotmail, (and POP/IMAP also if
you have your own mail server).

The rest of your questions - too large for me to be able to answer right
now. Not enough coffee. ;-)


Milton Bliss wrote:
> two questions
>
> 1) who should control user access rights in a file server? IT or data
> owners?
>
> 2) where can if find a document that describes all the NTFS setting in
> IMMENSE detail? There a dozen little setting I only generally
> understand.
>
>
>
> mydoom.f came visiting 2/24/4, two weeks later my systems are
> recovered
>
> The virus was effective at deleting many files because I give most
> people high permissions on the file server. This is because I do not
> understand the settings, nor have I taken the time to ascertain the
> users actual needs. It is easier to give them all rights and not
> worry about it. - I'm worried now.
>
>
>
> I proposed to make each department head administer file permissions
> within their department's data.
>
>
>
> My boss say's "too many cooks spoil the soup"
>
>
>
> What is the best practice? It is true the department heads are busy
> non-technical accountants, marketers, and nurses. Teaching them the
> minutia of NTFS permissions would be challenging. Convincing them to
> maintain the permissions concerns me. Further, does Active Directory
> provide me a way to allow the Marketing director to add/delete people
> to/from the MarketingSecurity group? Then does NTFS allow me to give
> that same Marketing director control the exact rights each security
> group has in a specific set of directories?
>
>
>
> On the other hand, I certainly don't have time. Am I better off
> hiring a clerk to maintain AD and NTFS for the entire company?
>
>
>
> The second question of course is the technical detail, where can I
> find good documentation on NTFS settings? I'll need to know what the
> settings do whether I use them, teach them to department heads or a
> clerk.
>
>
>
> I am grateful for direction of the sages.

Milton Bliss wrote:
> two questions
>
> 1) who should control user access rights in a file server? IT or data
> owners?
>
> 2) where can if find a document that describes all the NTFS setting in
> IMMENSE detail? There a dozen little setting I only generally understand.
>
>
>
> mydoom.f came visiting 2/24/4, two weeks later my systems are recovered
>
> The virus was effective at deleting many files because I give most people
> high permissions on the file server. This is because I do not understand the
> settings, nor have I taken the time to ascertain the users actual needs. It
> is easier to give them all rights and not worry about it. - I'm worried now.
>
>
>
> I proposed to make each department head administer file permissions within
> their department's data.
>
>
>
> My boss say's "too many cooks spoil the soup"
>
>
>
> What is the best practice? It is true the department heads are busy
> non-technical accountants, marketers, and nurses. Teaching them the minutia
> of NTFS permissions would be challenging. Convincing them to maintain the
> permissions concerns me. Further, does Active Directory provide me a way to
> allow the Marketing director to add/delete people to/from the
> MarketingSecurity group? Then does NTFS allow me to give that same Marketing
> director control the exact rights each security group has in a specific set
> of directories?
>
>
>
> On the other hand, I certainly don't have time. Am I better off hiring a
> clerk to maintain AD and NTFS for the entire company?
>
>
>
> The second question of course is the technical detail, where can I find good
> documentation on NTFS settings? I'll need to know what the settings do
> whether I use them, teach them to department heads or a clerk.
>
>
>
> I am grateful for direction of the sages.
>
>
I made full access on our file server only to file owners, other users
can only read and make files, not delete them.

To learn NTFS permissions I read MCSA/MCSE Training Kit Exam 70-270,
it's about Windows XP, but NTFS file system described there very
understandable. ISBN-0-7356-1429-6