Permissions and Privileges

Permissions can be set on Files and Folders with CACLS or XCACLS.

Permissions can be None, Read, Change or Full
'Full' being the same as 'Change'' plus the right to administer e.g. grant additional users rights to read the file.

Permissions can be assigned to individual users or to groups.

If a user has no rights to the files in a folder the security tab in the GUI will not appear (if you have no rights to even list the file names then you have no rights to list the security attributes either.)

Ownership of a file will override all access permissions - administrators can take ownership of any file. SUBINACL can change ownership from the command line.
Newly created files will be owned by the account used to create them (unless the account is an administrator).

There are 4 types of group: Local Machine, Local Domain, Global Domain, Universal

To create Local Users and Local Groups

Control Panel - admin tools - computer management - local users and groups
( not available on a Domain Controller )

or from the command line...
NET localgroup 

To create Global Domain groups and Local Domain groups

Control Panel - admin tools - Active directory users and computers - Users

or from the command line...
NET localgroup /domain
NET group /domain

Best Practice

A recommended arrangement is to assign file/print permissions with one set of workgroups (Resources), and assign user/group membership with a separate set of workgroups (Teams), then assign rights by making each team workgroup a member of the relevant resource workgroup(s).

Advantages
- No duplication of file ACLs no matter how many teams are granted access to the folder - this reduces the size of the File Allocation Table - less fragmentation of the FAT will improve fileserver performance.
- Avoid problems where an ACL change fails because some files are open/in use, with this arrangement, most administrative changes can be made by adding and removing Users from Team Workgroups rather than editing ACL's on disk.
- You can view/audit all permissions in Active Directory without having to search through millions of file ACLs - this makes auditing easier.

“Of manners gentle, of affections mild; In wit a man, simplicity a child” - Alexander Pope

See also

Groups - Local Domain groups, Global and Universal groups
Built-in Groups - Built-In Users and Security Groups
Q271876 - Large Numbers of ACEs in ACLs Impair Directory Service Performance (slow logon times)
Q909264 - Naming conventions in Active Directory for computers, domains, sites, and OUs


© Copyright SS64.com 1999-2013
Some rights reserved