Re: Security on folders

07/09/2007, 15h06

Mauger <Mauger@discussions.microsoft.com> wrote:
> Is there a way or snap in so that I can do a mass change on the
> security tab to add a new user with Modify access to a folder? Be
> looking to do a script that will go through each folder and add a
> user to that folders properties with modify access.

Look into CACLS....

Also, I'm presuming you use AD. I would recommend you start using security
groups (universal) when you set up your file system, and use only groups
when assigning your NTFS permissions. Then it's a simple matter of adding
your AD users to the appropriate groups or removing them from same, as
needed. I don't assign permissions to individual users unless it's their
home directory folder.

08/09/2007, 18h56

"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatya hoo.com> wrote in message
news:em3ZpjV8HHA.1900@TK2MSFTNGP02.phx.gbl...
> Mauger <Mauger@discussions.microsoft.com> wrote:
>> Is there a way or snap in so that I can do a mass change on the
>> security tab to add a new user with Modify access to a folder? Be
>> looking to do a script that will go through each folder and add a
>> user to that folders properties with modify access.
>
> Look into CACLS....
>
> Also, I'm presuming you use AD. I would recommend you start using security
> groups (universal) when you set up your file system, and use only groups
> when assigning your NTFS permissions. Then it's a simple matter of adding
> your AD users to the appropriate groups or removing them from same, as
> needed. I don't assign permissions to individual users unless it's their
> home directory folder.

Agreed 100%. I also suggest having a strict one-to-one relationship between
the folder/permission level and the group(s) given that permission level.
For example, a folder called SharedInfo might be permitted read-only to a
group called SharedInfo-R and read/write to SharedInfo-R, with neither group
being permitted to any other resource. You can then create the required
groups at the time the folder is created, and do the permissions once and
only once at the same time.

/Al

07/09/2007, 15h06	#1
Lanwench [MVP - Exchange] Messages: n/a Hébergeur:	Re: Security on folders Mauger <Mauger@discussions.microsoft.com> wrote: > Is there a way or snap in so that I can do a mass change on the > security tab to add a new user with Modify access to a folder? Be > looking to do a script that will go through each folder and add a > user to that folders properties with modify access. Look into CACLS.... Also, I'm presuming you use AD. I would recommend you start using security groups (universal) when you set up your file system, and use only groups when assigning your NTFS permissions. Then it's a simple matter of adding your AD users to the appropriate groups or removing them from same, as needed. I don't assign permissions to individual users unless it's their home directory folder.

08/09/2007, 18h56	#2
Al Dunbar Messages: n/a Hébergeur:	Re: Security on folders "Lanwench [MVP - Exchange]" <lanwench@heybuddy.donotsendme.unsolicitedmailatya hoo.com> wrote in message news:em3ZpjV8HHA.1900@TK2MSFTNGP02.phx.gbl... > Mauger <Mauger@discussions.microsoft.com> wrote: >> Is there a way or snap in so that I can do a mass change on the >> security tab to add a new user with Modify access to a folder? Be >> looking to do a script that will go through each folder and add a >> user to that folders properties with modify access. > > Look into CACLS.... > > Also, I'm presuming you use AD. I would recommend you start using security > groups (universal) when you set up your file system, and use only groups > when assigning your NTFS permissions. Then it's a simple matter of adding > your AD users to the appropriate groups or removing them from same, as > needed. I don't assign permissions to individual users unless it's their > home directory folder. Agreed 100%. I also suggest having a strict one-to-one relationship between the folder/permission level and the group(s) given that permission level. For example, a folder called SharedInfo might be permitted read-only to a group called SharedInfo-R and read/write to SharedInfo-R, with neither group being permitted to any other resource. You can then create the required groups at the time the folder is created, and do the permissions once and only once at the same time. /Al

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email