Folder Permissions Help!

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hey Guys,

I was just wondering how some of you assign your NTFS permissions.
Say you have a Marketing Department and a Marketing shared folder on a file server. Different people in the Marketing department require different permissions in the Marketing folder and sub folders, what would you do?

Domain Local groups Marketing Read, Write, Modify, Full Assigned to the folder, then pop the appropiate users into each?

Or go extremely granular, say a folder within the marketing folder has broken inheritance, would you create another set another set of Domain Local Read, Write, Modify etc for that folder and then assign the appropiate users? So pretty much a set of access groups for each folder with broken inheritance.

Or would you create a marketing global group with all marketing employees in it, assign it to the Domain Local resource group Marketing write for instance, and then add users explicitly after that, like add the Marketing Manager to the Domain Local marketing Modify group.

Thanks Everyone, I value your opinions!

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

In large organisations, the best way to think about this, is to make your life as easy as possible.

Start with an Excel Spreadsheet with all your high level shares, then your sub folders which are blocking inheritance as they will have different permissions. Also think about naming conventions as you will probably have folders called Marketing & Sales in different locations so you might want to prefix shares with sites e.g. NY - Marketing Report 2008.

Then create Security Groups based around the Shared Folder names rather than the Group they belong to.

e.g.

Shared Folded 'NY - Marketing Report 2008'

Create the following Security Groups (if needed) and assign permissions.

NY - Marketing Report 2008 - Read Only
NY - Marketing Report 2008 - Modify

Then add the users to these groups.

 

So then what about each "NY - Marketing 2008" subfolder that requires broken inheritance, create another set of access groups for that folder?
For instance if "Brochures" Was a sub folder, what would the naming convention be like? Just call it NY - Brochures Read, Write, etc.

Also where would you recommend storing these groups in AD, perhaps within the Marketing Departments OU > Groups OU > File Share OU
?

Thanks craigie!