For Fun and Profit
Author: Kevin Flanagan
August 19, 2002
For Fun and Profit
How to Save Time and Money With A
Well Designed File Access Methodology
The majority of companies use Windows NT, Windows 2000, or a hybrid-computing environment that grew semi-organically rather than being thoroughly planned. One by-product of this migration is that over time permissions were granted to people as needed, causing non-standard (haphazard) application of permission schemes. Administrators come and go, and they learn better ways to do things bringing about a change in “the way things are done”. Junior administrators, at most companies, manage account creation and file permissions, which takes a company further from a solid, clean methodology for granting access to data. Most administrators know the official “Microsoft answer” — Apply Access Control Lists (ACLs) to objects (generally, directories or files). The ACL contains only Local Groups, which are members of Global Groups; users are members of the Global Groups. Few organizations have applied ACL permission schemes as standard practice.
It is proposed here, that time be taken to do one of two things: completely restructure file permissions, or start a new system that will greatly ease the tasks of managing permissions and save significant money for the company at the same time.
This is a daunting task for many environments, but one that is worth the effort. Consider the following factors and their value to the company.
When rolling out a new file server, or as a part of a Windows 2000 migration, restructuring the current file servers (as described below) will make the work easier, and save the company money.
Implementing the following items can save time (time = money) for systems administrators
In this example, there are two file servers, each with several shared directories, and each store user home directories.
\\Server1 C: - Operating System D: - CDROM E: - User home directories E:\users \sjones – Shared as \\server1\sjones$ \bsmith – Shared as \\server1\bsmith$ F: - Shared data F:\files – Shared as \\server1\files \accounting \marketing \hardware \software
The exception to the rule is user home directories, they should always have the same permissions.
System : Full Control Administrators : Full Control “Owner” : Change – This is one person only
If there is a need to share data it should be done on another share, never the user home directories.
Server named Server1 \receiving – Local Group named receiving \shipping – Local Group named shipping \accounting – Local Group named accounting \engineering – Local Group named engineering
\users\ \users\jones \users\smith \users\financedata – Local Group named financedata
Server named Server2 \engineering – Local Group named engineering \marketing – Local Group named marketing
After the access boundaries are set (in this example see above for Groups), create Global Groups made up of 3 parts:
Server abbreviation: Server1 becomes S01
Name of the Local Group on the server where the resource resides.
Type of access granted (recommendation – 3):
Global Groups would be named:
Know who is the “business owner” of the data, and maintain that order to verify if a person should have access to the directory in question. If so, should the permission be Read Only or Read Write.
Use the command line tools, Cacls or Xcacls to apply these permissions. Do NOT use the GUI, unless it is to REPLACE all rights to all files, etc. under the one being worked on.
Once implemented, this structure shows what Global Group controls access to what resource and users can be added. Once a user is added to the group, the user logs off and back on and access is normal. Ensure that every new high level directory made receives the 3 groups created for both Local and Global Groups.
This structure has been applied with great success, saving of about 1 man-day per week off permission management in a company of about 3000 employees. The payoff is significant after the initial setup time. This may be the best time to implement projects like this. The projected slowdown in new projects may afford NT administrators to rework things they inherited or did before they learned a better way to do them.