Filestore Best Practices #3: Only ever assign group permissions even if the group has only one member.

Assigning the permissions to Filestore resources is easy but managing permissions for an expanding volume of data in an ever evolving department is not. It can however be made easier by only using security groups.

Most people reading this will look after Filestore resources which are accessed by various people within their departments. The data structure may be made up of hundreds or even thousands of folders for which a complex set of permissions are required.

The problem with assigning individual users permissions is that there will come a point eventually where you will not be able remember who a user (let’s call them) n563456 is, why they were assigned permissions and if they should still have access. The situation would be worse still for someone taking over or assisting with management of the resources.

The best way to avoid this is to never assign individual users permissions on a resource but to create a Security group even if only one user will be the only member in it.

This will allow you to do the following:

Give the group a meaningful name.

For example, calling the group HR – Directors Shared Filestore (Read\Write) will help you identify it’s function, level of access and who should be a member at a glance.

TIP: Prefix all of your group names with your departments name e.g. ISS XXXX XXXXX. A group called ‘Research Shared Folder’ will not be as easy to find.

Allow you to add and remove users without having to browse to the resource.

It’s much easier to open the ADUC snap-in and add to or remove from a group than it is to browse to a nested folder and examine the ACLs.

Avoid Ghost s-ids

Ghost sids occur when an account has been deleted but the permission persists on the resource.

Document, audit and manage access from one place.

You can add comments to groups and manage all of your permissions from one central location, perhaps by a regular review of group membership.

Make things easier on team members or your successors.

By using a group based approach new team members and your successors will be able to easily see changes and see how permissions are configured.

SUMMARY: Never assign individual users permissions to a Filestore resource as they will grow too complex. Only ever use groups even if there is only one user on it and always add a description to the group.

This entry was posted in ActiveDirectory, FileStore, Security, Vista, Windows7, WindowsServer by James. Bookmark the permalink.

About James

I am an Infrastructure Systems Administrator in the Infrastructure Systems Group (ISG) within ISS. We are responsible for a number of the core services which support the IT Infrastructure of the University including Active Directory, Exchange, DNS, Central Filestore, VMware and SQL. I hold number of current Microsoft Certifications and am also a Symantec Certified Specialist (Netbackup) http://twitter.com/JamesAPocock

Leave a Reply

Your email address will not be published. Required fields are marked *