Ask the Expert

Best practices for setting NTFS/share permissions for each %USERNAME% on a file server

I'm seeking "best practice" advice for the reasonable setting of NTFS and share permissions for the home catalogs of each %USERNAME% on the common file server within AD. Is the following scheme good?
  1. The catalog, containing all home users' catalogs does not inherit from the parent volume, but in its turn permits for all child objects full access for the local admin group of this server (to allow further administering in critical conditions).

  2. In addition to that, each inner home catalog has Modify rights only for the corresponding %USERNAME% and Full Control for the Creator Owner.

  3. Each home catalog is shared separately as %USERNAME%$ with Change or Full Control for only the user himself.
Does this scheme allow for the "sufficient minimum" of rights/security/manageability?
I'm not sure what you are using as your definition ?- what is the home catalog? The home folder? The location of the user profile? The redirected documents folders? The place on the file server where the user can save files? A folder required by some application software?

I cannot comment if I don't know what you actually are looking for; however, I do wonder at statement number 2. Only the user has modify rights? But Creator Owner has full control? This seems to tell me that there may be files placed there for them to use, that you want to protect their change permissions on them, or delete subfolders and files, if this is a folder. If my assumption is correct, then in any circumstance where you want to control security on files within a folder, this is a very good move, as the Creator Owner group can help do just that.

It is also a very good idea to prevent permission inheritance when you develop permission for files that might be overwritten from above. It is also a good idea, most agree, to maintain some administrative control over user files and folders, although (truth be told) an administrator can, of course, take ownership and get back control if it is necessary for administration. So when needs for security are higher (i.e., avoiding casual access to files), you can remove those administrative rights.

This was first published in June 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: