Permissions and shares issue?

[changedsoul]

Hello. Im a self apointed IT guy for a small shop I work at. I am having difficulty with granting certain people access to certain files and folders on our server. The file structure isnt really setup in a job clasification type of orginations. The files are orginized by how they relate to each other. And this one particular share is driving me NUTS because it seems to contain a ton of stuff many people need access too and many people dont need access too.

 

Re-orginazing based on job descriptions isnt an option, but would make assigning permission much easier because I could just drop a group with those users on it.

 

This one particular share has about 15 folders under it. Some people need need modify on some but not all, while others only need read and some dont need to see some or all of them at all.

 

Its a small place and I could easily place indevidual users on each folder they need, but I know this is a no no. Im trying to think large scale, how can I make this easy to manage if I have a ton of users. Well this just over whelms me, lol and I get lost in a sea of trying to make Share groups with RW/RO etc, tried to make it so no matter what group you belonged to a mapped network drive or drives would be auto setup for them, trying to keep common mapped drive letters among all employees. This began to over whelm me when I tried to think of who needed what, one person in multiple groups got multipl mapped drives, or otheres were missing some they should.

 

Its clear I am not a network admin. I have so much to learn, but this give me a great head start at it.

 

Here is what I was thinking, and let me know if it would be acceptable behavoir, or if its frownd on.

 

This main problomatic share that so many people need, but only some should have read, or nothing at all. I was going to enable ABE on the root of the Share with Authenticated Users Read and Modify on the share permissions. Then....and this is where I want to know its frowned on....break all inherited permissions on the first level folders ( there is not many, maybe 15) and apply only read and write premissions to those groups or indeviduals who need it on each folder and sub folders.

 

Then instead of creating multiple shares for the sub folders for people to access...just share the main root share(not the too of the drive I might add) and give it a mapped drive letter common to everyone.

 

This way ABE will take care of not showing the folders to the people who dont need to see it, and help limit the number of folders then need to look through for what they need.

 

Would this be a decent way to go?

[Sikh]

I had this same problem when I started for the company I work for. The server setup was so old and the old IT guys were seriously windows and knew nothing about unix, posix, acls, etc.

The way I attacked it was I placed every department into a group. For our Subsidiary which is our data processing "factory", I placed all job roles into a group. So I had a group for each job role for the subsidiary and i had a group for each department (ex. legal, software, etc). After this, I created a group for EACH sharepoint, we have about 20 in the main building and about 8 production / customer share points at the other building. I created two groups for each sharepoint which consisted of "BuildingAbbreviation_NameOfSharepoint_R" and "...._...._RW". From here on, I just dumped people in the appropriate groups and boom done. A lot of this became easy because the devs needed RW access to all production / customer share points, so I just dumped "D_SD" into each production / customer sharepoint. Made my job SO EASY.

 

Now, I had the same situation as yours. So what I did was I created a R and RW group for the "Top level / Root Folder" and then I created a group for each folder inside. This was the easiest way to give people read access to "Root Folder" and then if they only needed access to "Subfolder 3,4,7 and 10" thats all they got access to and subfolder "1,2,5,6,8,9" were denied access to.

I don't know what the easiest way to do it in windows is, but thats how I broke it down. With POSIX permissions and ACL's, it worked out beautiful. I can log into the LDAP Master and add someone to a group, within seconds, the file servers will update and that user now has access. Its wonderful.

 

I hope I've helped. Its a hard battle to fight, but definitely worth it when your a small company. We've grown so much the year and half I've been here that Im glad I did this when I started. People were against it but I still did it. Paid off a lot in the end.

[changedsoul]

You definitly pointed me in a new direction. Ill give that a try today and see how it works. There really arent that many actual entry points people need access to to gain access to thier files, so I will create what you did,  a main R/RW group at the root, and then break all folders belieth root into group names_R/RW and drop users into is.

 

I was getting so frustrated because I was trying to setup groups based on all the job roles people perform. As IT I dont know everything everyone does. So I asked and got a few, set it up, then all I hear is, "I dont have access to this any more"..and I tell them, well your not in this job description. "But I need access to this". Ok , so can you give me a descripton of that roles so I can set ip a group and add you to it? Needless to say it became a nightmare. To few people doing way to many job roles that are not actually in the job description makes it hard to figure out where anyone belongs.

 

I just got frustrated and gave Authenticated users - Modify on the whole lot till I can get it sorted out and stop hearing "Its saying access denied, whats wrong..." hehehe.

 

Thankfully its a small enough place and most people dont use a computer, i dont have to worry about things getting buggured up to quickly. I should have time to sort it out.

 

Thanks for the direction, ill give it a shot and let you know how it worked and and what I ended up doing.

[Sikh]

I would definitely plan it out / design the groups. Fill them in and just do it.

Sometimes people from one department might need access to another departments so, that's when you ask questions or give them read only. Don't ever give up. Force change because people hate change. Do it while your small too.

Believe me it pays off

[changedsoul]

I think I took your suggestion.What I did was Created a top level share group for each share

ShareName_Main_RW

..._RO.

 

Then created a Group for each First level sub folder

ShareName_Subfolder_RW

...._RO

 

Placed all the people into what ever group they needed access to.

 

I then placed "Authenticated Users"  List permissions to be able to see the share if its mapped on the Root of the share and placed the "This Folder Only". This worked out great while using the ABE as now only the people who are in particular RW/RO groups will see their folders un the main Shared folder.

 

I then created yet another group "ShareName_MapDrive" and placed all the RW/RO groups that need access any folders that reside under the main root share and created a GPO that will map the drive to any user in any of those groups.

 

Now everyone has only a few mapped drives instead of like 10 like I had before I read up on ABE.

 

Not sure if this was where you were leading me, but thank you. It created a lot of groups, and doesnt seem as elegant as I think it maybe should be, but this is my first domain enviroment and this setup makes it much easier to just open a user and grant them access to a specific set of folders.

[Sikh]

This is exactly where I was leading you. A lot of groups is more elegant then 2 groups with a LOT of people in it lol. I went from ~50 groups to 200 but that fixed a LOT of issues we were having. People accidentally deleting stuff, share points becoming full of garbage, etc. 

 

So be happy with what you have, it sounds like you solved it very quickly and it worked out well for you. I spent 2 weeks designing the god damn setup. I hated it because most of my time was questioning people that said "why can't I have my current permissions" or "i need access to everything". Those aren't the answers I was looking for. By the time all was said and done, I had a nice mind map of how our OD Setup would look like and showed my manager. He was on board and it made sense to him instantly.

So it made my life easier because instead of asking me questions, if a request for a permission update comes in, he can pop in and do it without even thinking about it. I've told him "if you are unsure what this person needs / they can't tell you what they need, give them read". Its been working great so far, so I consider it very successful.