Hello. Im a self apointed IT guy for a small shop I work at. I am having difficulty with granting certain people access to certain files and folders on our server. The file structure isnt really setup in a job clasification type of orginations. The files are orginized by how they relate to each other. And this one particular share is driving me NUTS because it seems to contain a ton of stuff many people need access too and many people dont need access too.
Re-orginazing based on job descriptions isnt an option, but would make assigning permission much easier because I could just drop a group with those users on it.
This one particular share has about 15 folders under it. Some people need need modify on some but not all, while others only need read and some dont need to see some or all of them at all.
Its a small place and I could easily place indevidual users on each folder they need, but I know this is a no no. Im trying to think large scale, how can I make this easy to manage if I have a ton of users. Well this just over whelms me, lol and I get lost in a sea of trying to make Share groups with RW/RO etc, tried to make it so no matter what group you belonged to a mapped network drive or drives would be auto setup for them, trying to keep common mapped drive letters among all employees. This began to over whelm me when I tried to think of who needed what, one person in multiple groups got multipl mapped drives, or otheres were missing some they should.
Its clear I am not a network admin. I have so much to learn, but this give me a great head start at it.
Here is what I was thinking, and let me know if it would be acceptable behavoir, or if its frownd on.
This main problomatic share that so many people need, but only some should have read, or nothing at all. I was going to enable ABE on the root of the Share with Authenticated Users Read and Modify on the share permissions. Then....and this is where I want to know its frowned on....break all inherited permissions on the first level folders ( there is not many, maybe 15) and apply only read and write premissions to those groups or indeviduals who need it on each folder and sub folders.
Then instead of creating multiple shares for the sub folders for people to access...just share the main root share(not the too of the drive I might add) and give it a mapped drive letter common to everyone.
This way ABE will take care of not showing the folders to the people who dont need to see it, and help limit the number of folders then need to look through for what they need.
Would this be a decent way to go?
Best Answer Sikh , 22 January 2014 - 18:50
This is exactly where I was leading you. A lot of groups is more elegant then 2 groups with a LOT of people in it lol. I went from ~50 groups to 200 but that fixed a LOT of issues we were having. People accidentally deleting stuff, share points becoming full of garbage, etc.
So be happy with what you have, it sounds like you solved it very quickly and it worked out well for you. I spent 2 weeks designing the god damn setup. I hated it because most of my time was questioning people that said "why can't I have my current permissions" or "i need access to everything". Those aren't the answers I was looking for. By the time all was said and done, I had a nice mind map of how our OD Setup would look like and showed my manager. He was on board and it made sense to him instantly.
So it made my life easier because instead of asking me questions, if a request for a permission update comes in, he can pop in and do it without even thinking about it. I've told him "if you are unsure what this person needs / they can't tell you what they need, give them read". Its been working great so far, so I consider it very successful.