Mitch,
I may be missing something here. The fact that they ( your users ) have to
change their passwords every 60th day should not have any affect on
accessing any 'network resources'. Whether or not the 'File Server' is also
a Domain Controller should also not affect anything. In fact, budget
allowing, it is probably a better idea to have dedicated File Servers. I
think that you clearly stated that this is indeed the case when you
stipulated that NAS-1 and NAS-2 were the file servers and that DC-1 is the
Domain Controller. I have worked with a couple of NAS devices and users
changing passwords - every 60th day or every other day or even twice a
ay - did not cause any problems. Is this specifically a requirement with
the devices NAS-1 and NAS-2? Did you just name two WIN2000 member servers
NAS-1 and NAS-2 or are you really using a NAS 'device'?
Typically, as I stated in my original post, you would create a local
security group for each shared folder ( or for whatever requirements you
have ). I will give you an example of what I mean. Hopefully this you
bring us to the same page. Maybe I am not seeing something!
To answer the question that you are going to have when reading the below: I
like to incorporate what type of group XYZ is in the name. Thus, if it is a
local security group I like to name it LSG_XYZ. If it is a global security
group I like to name it GSG_XYZ. If it is a universal security group I like
to name it USG_XYZ. I also prefer to use security group for
permissions/access and prefer to exclusively use mail-enabled distribution
groups for "Distribution Lists" - the old term - for Exchange 2000. In
other words, I do not "mail-enable" security groups so that I can kill two
birds with one stone! I separate the two. This is simply my choice.
Let's say that you have you have four Departments: Accounting, Finance,
Marketing, Sales. Let's say that you create a global security group for
each Department. So, you would have GSG_Accounting, GSG_Finance,
GSG_Marketing and GSG_Sales. You have 37 people in Accounting, 23 people in
Finance, 10 people in Marketing and 126 people in Sales. You simply stick
each user account in the appropriate global security group ( so Mary Smith,
who works in Accounting, would be in GSG_Accounting where as Tom Ford, who
is in Sales, would be in GSG_Sales ).
Now, let's just say that you decide to put the Accounting and Finance
'working files and folders' on NAS-1 and you decide to put the Marketing and
Sales 'working files and folders' on the other file server, NAS-2.
Furthermore, you have a Software shared folder where you hold miscellaneous
software for your users to install at their leisure. Let's just say that
you decide to store this on NAS-1. I am intentionally leaving out the
user's 'home folder' scenario.
Create four local security groups: one called LSG_Accounting, one called
LSG_Finance, one called LSG_Marketing and one called LSG_Sales. You also
need to create one called LSG_Software.
Go to NAS-1 and create a folder called 'Departments'. Do not share it.
Inside 'Departments' create a folder called 'Accounting' and a folder called
'Finance'. You are finished there. At the same level as 'Departments'
create a folder called 'Software'.
Now, go to NAS-2 and create a folder called 'Departments'. Do not share it.
Inside 'Departments' create a folder called 'Marketing' and a folder called
'Sales'. You are finished there.
When you go to share the folders ( remember: there are two sets of
permissions - the Share permissions and the NTFS permissions ) all you need
to do is use the local security group. This should be the 'object' being
given such and such permissions ( read, modify, change, whatever ). You
just need to make sure that for the shared Accounting folder that the
GSG_Accounting is a member of the LSG_Accounting. It is actually the
LSG_Accounting to which you are granting permissions. The same applies to
the three other 'Department' folders.
For the Software shared folder, to which you would like all users to have
access, simply make sure that all four global security groups are a member
of LSG_Software. Now, for this specific shared folder you could also make
use of a universal security group. You would simply make the four
'department' global security groups a member of the universal security group
and then make the universal security group the member of LSG_Software. But,
in order to make use of universal groups you need to be in WIN2000 Native
Mode and you need to make sure that the Global Catalog Server is properly
placed ( and with only one DC - which would be the Global Catalog Server as
well, by default, it should be properly placed ).
Now, because access to the shared folder 'Accounting' has been set up in the
way described above only members of LSG_Accounting will have access to it.
Who is a member of LSG_Accounting? The global security group named
GSG_Accounting. And who is a member of GSG_Accounting? Well, Mary Smith
is. So, assuming that Mary has a mapped network drive to 'Accounting' (
most likely done via logon script ) she can access the files and folders in
'Accounting'. Can Tom Ford? No, because he is not a member - either
directly or indirectly via groups - of LSG_Accounting. Can Mary Smith
access anything in the 'Sales' shared folder? No! Because she is not a
member of LSG_Sales. Can this change? Yes it can.
If Mary Smith changes her password she should not have any problems
accessing any networked resources to which she already has permissions.
Same for Tom Ford and everyone else.
Does this clarify things for you? If not, please let me know. I am not
quite sure why you are under the impression that you will have to manually
change everyone's password on each file server when the user's change their
passwords.
HTH,
Cary
