NTFS Permission Structure to allow Traversal but no Modification except in Leaf Nodes?

Posted by pepoluan on Server Fault See other posts from Server Fault or by pepoluan
Published on 2012-11-14T15:23:30Z Indexed on 2012/11/14 17:05 UTC
Read the original article Hit count: 325

Assume there's this folder structure:

D:\ --+-- Acctg --+-- Payable
      |           +-- Receivable
      |
      +-- Fin --+-- Inv
      |         +-- Tax
      |         +-- Treas
      |
      +-- Mrktg --+-- Ads
                  +-- Promo

Users are not allowed to change the structure, but they are free to create & delete files & folders in the leaf nodes (i.e., the rightmost folders).

AGDLP principle said that I should assign permissions on the above folders to DL-Groups. Let's say I have a G-Group of users, G-Accounting-Payable, containing users that have access to the D:\Acctg\Payable folder.

The way I see it, I have two strategies:

-

Strategy 1

Create three DL-Groups and assign them permissions:

  • DL-D-Acctg_T -- allowed traversal of D:\Acctg folder
  • DL-D-Acctg-Pay_LF -- allowed listing of D:\Acctg\Payable folder contents
  • DL-D-Acctg-Pay__RW -- allowed full permissions to the contents of D:\Acctg\Payable folder

Add G-Accounting-Payable as member to all the above DL-Groups

-

Strategy 2

Create just one DL-Group DL-D-Acctg-Pay__RW, and assign it the proper permissions for each level of the folder.

Then, add G-Accounting-Payable as member to that DL-Group.

-

Which strategy is the Recommended Best Practice, and why?

© Server Fault or respective owner

Related posts about active-directory

Related posts about permissions