File Share in Windows Domain

Question

How do you assign a single user (or a couple users) to a shared subfolder but restrict it for others?

My company and I are running into an issue with how our current file share environment was setup but instead of trying to fix the problems, we're going to rebuild the system on a new platform. This time we want to do it right from the ground up.

However, the problem we're running into is how to get away from assigning a single user permissions to access the folder. My understanding is that you assign a user to a (security) group and then add that group to the NTFS permissions. However, we have a number of folders where we need to give a specific user access to the folder, but not the users in that group.

My apologies if I'm not explaining it clearly. I'll try to clarify as best I can in responses.

Answer 1

My understanding is that you assign a user to a (security) group and then add that group to the NTFS permissions. However, we have a number of folders where we need to give a specific user access to the folder, but not the users in that group.

That's the general rule, but if you need to assign permissions to only a single user you can certainly do that.

Another option would be to create a Security Group, add this lone user account to the group and assign permissions to that group. That way if you need to grant other users access to the folder you can simply add them to the group.

Answer 2

A general rule of thumb is if the folder is for a specific user, i.e. a Home drive folder or a specific confidential scanned document share, then set the permissions for the individual user.

If the folder is for a department or a program/application, then create a security group for the specific use and add the user(s) to the group and assign permissions to the group.

This method allows for expansion down the road when they decide they want additional people to have access and if you ever need to do maintenance in the future or re-create a share it will be straight forward to the people managing as to who should have access.

Answer 3

From the Linux perspective and sharing via Samba I set the top level share to be 770 with the setgid bit set (so all files/directories created retain the group owners ship of the top level of the share), and give access there to the foo group. Then create a subdirectory, set the perms the same way, but also change the group ownership to a group unique to the user(s) that need access to the restricted area foo-admins or whatever. This maps nicely to your security groups in Windows.

The issue when assigning the perms to the specific user Bob is that when Bob retires/drops dead/wins lotto and a replacement is hired, you have to hunt down all the "special" stuff owned by Bob and change the ownership/perms.

So from a cross platform perspective, go with the security groups model and not individual users beyond their $HOME share or equivalent. Makes the inevitable personnel change much easier to deal with.

Answer 4

One thing I learned on this thread is that we don't need to be so rigid with the "rules" when it comes to setting up shares and permissions, but adhering to best practices will save us trouble in the long run. Somewhere in the middle is the answer.

I wish there was a way to see how other companies handle this issue as I'm sure I'm not the only one who's faced it.

Thank you again for everybody's comments, advice, and suggestions - especially for not making me feel like a complete knucklehead. It's greatly appreciated.