Permissions and Privileges

Permissions can be set on Files and Folders with CACLS or XCACLS.

Permissions can be None, Read, Change or Full
'Full' being the same as 'Change'' plus the right to administer e.g. grant additional users rights to read the file.

Permissions can be assigned to individual users or to Workgroups.

If a user has no rights to the files in a folder the security tab in the GUI will not appear (if you have no rights to even list the file names then you have no rights to list the security attributes either.)

Ownership of a file will override all access permissions - administrators can take ownership of any file. SUBINACL can change ownership from the command line.
Newly created files will be owned by the account used to create them (unless the account is an administrator).

There are 4 types of Workgroup:

Local Machine (span a single machine)
Local Domain (span a single domain)
Global Domain (span multiple domains)
Universal (span the exterprise)

Universal groups are expensive to use, so limit the number of these - use only where it is necessary to create a group that spans one or more domains. Universal groups are not available in mixed-mode (NT) domains.

User membership:

A Domain User can can become a member of any type of Workgroup.

A Local Machine User can only join a Local Machine workgroup.

Workgroup membership:

A Global Domain WorkGroup can become a member of any type of Workgroup.

A Local Domain WorkGroup can can become a member of a Local Machine workgroup or another Local Domain WorkGroup but cannot join a Global Domain WorkGroup.

Universal groups may include both other Universal groups, and global groups from any domain in the enterprise, they are visible throughout the entire enterprise.

A Local Machine WorkGroup cannot become a member of any other workgroup.

Example

One computer hosts a local machine workgroup called LocalShop7
The domain hosts a Local Domain workgroup called Warehouse3
The domain hosts a Global Domain workgroup called Country1

Country1 is a member of Warehouse3
Warehouse3
is a member of LocalShop7

A user who is a member of either Warehouse3 or Country1 will have access to any resources controlled by LocalShop7

A user who is a member of Country1 will have access to any resources controlled by Warehouse3

A user who is a member of Warehouse3 will not have access to any resources controlled by Country1

A user who is a member of LocalShop7 will not have access to any resources controlled by Warehouse3 or Country1.

After a new workgroup folder has been setup and permissions applied, workgroup members will need to logout and login again before they will be able to read or edit the files. This restriction does not apply to Domain Admins

To create Local Users and Local Groups

Control Panel - admin tools - computer management - local users and groups
( not available on a Domain Controller )

or from the command line...
NET localgroup 

To create Global Domain WorkGroups and Local Domain WorkGroups

Control Panel - admin tools - Active directory users and computers - Users

or from the command line...
NET localgroup /domain
NET group /domain

Best Practice

A recommended arrangement is to assign file ACLs with a Local Domain workgroup, assign users to a GLOBAL workgroup, and then assign rights by making the GLOBAL workgroup a member of the Local Domain workgroup.

Example: Files are stored in \\server1\Purchasing

Create a Local Domain workgroup Local_files - give this group CHANGE permissions on the folder.
Create a GLOBAL workgroup Global_Team1 - make this workgroup a member of Local_files

Now if a second Workgroup need access to the same files..
e.g. Global_Team23 - just make this workgroup a member of the same group Local_files. No need to add any new ACL's to any files, this is a big win when working with a large number of files.

Typically each folder will need one ACL granting CHANGE permission to the Workgroup, and one ACL granting FULL Administrative access for running backups etc.

Advantages
- No duplication of file ACLs no matter how many teams are granted access to the folder - this reduces the size of the File Allocation Table - less fragmentation of the FAT will improve fileserver performance.
- Avoids the problem where an ACL change fails because the files are open/in use.
- You can see all permissions in Active Directory without having to search through millions of file ACLs - this makes auditing easier.

Disadvantages
- Local Domain Workgroups are only visible within that domain
- Local Domain Workgroups contain the domain name - so require slightly more storage in the SAM database.

“Of manners gentle, of affections mild; In wit a man, simplicity a child” - Alexander Pope

See also

Q271876 - Large Numbers of ACEs in ACLs Impair Directory Service Performance (slow logon times)
WorkGroups - Built-In Users and Security Groups
Workgroups.ppt - The default Admin Workgroups



Back to the Top

Simon Sheppard
SS64.com