Permissions can be set on Files and Folders with CACLS
or XCACLS.
Permissions can be None, Read, Change or Full
'Full' being the same as 'Change'' plus the right to administer e.g. grant additional
users rights to read the file.
Permissions can be assigned to individual users or to Workgroups.
If a user has no rights to the files in a folder the security tab in the GUI
will not appear (if you have no rights to even list the file names then you
have no rights to list the security attributes either.)
Ownership of a file will override all access permissions - administrators can
take ownership of any file. SUBINACL can change
ownership from the command line.
Newly created files will be owned by the account used to create them (unless
the account is an administrator).
There are 4 types of Workgroup:
Local Machine (span a single machine)
Local Domain (span a single domain)
Global Domain (span multiple domains)
Universal (span the exterprise)
Universal groups are expensive to use, so limit the number of these - use only where it is necessary to create a group that spans one or more domains. Universal groups are not available in mixed-mode (NT) domains.
User membership:
A Domain User can can become a member of any type of Workgroup.
A Local Machine User can only join a Local Machine workgroup.
Workgroup membership:
A Global Domain WorkGroup can become a member of any type of Workgroup.
A Local Domain WorkGroup can can become a member of a Local Machine workgroup or another Local Domain WorkGroup but cannot join a Global Domain WorkGroup.
Universal groups may include both other Universal groups, and global groups from any domain in the enterprise, they are visible throughout the entire enterprise.
A Local Machine WorkGroup cannot become a member of any other workgroup.
Example
One computer hosts a local machine workgroup called LocalShop7
The domain hosts a Local Domain workgroup called Warehouse3
The domain hosts a Global Domain workgroup called Country1
Country1 is a member of Warehouse3
Warehouse3 is a member of LocalShop7
A user who is a member of either Warehouse3 or Country1 will have access to any resources controlled by LocalShop7
A user who is a member of Country1 will have access to any resources controlled by Warehouse3
A user who is a member of Warehouse3 will not have access to any resources controlled by Country1
A user who is a member of LocalShop7 will not have access to any resources controlled by Warehouse3 or Country1.
After a new workgroup folder has been setup and permissions applied, workgroup members will need to logout and login again before they will be able to read or edit the files. This restriction does not apply to Domain Admins
To create Local Users and Local Groups
Control Panel - admin tools - computer management - local users
and groups
( not available on a Domain Controller )
or from the command line... NET localgroup
To create Global Domain WorkGroups and Local Domain WorkGroups
Control Panel - admin tools - Active directory users and computers - Users
or from the command line... NET localgroup /domain NET group /domain
Best Practice
A recommended arrangement is to assign file ACLs with a Local
Domain workgroup, assign users to a GLOBAL workgroup, and then assign rights
by making the GLOBAL workgroup a member of the Local Domain workgroup.
Example: Files are stored in \\server1\Purchasing
Create a Local Domain workgroup Local_files - give this group CHANGE permissions on the folder.
Create a GLOBAL workgroup Global_Team1 - make this workgroup a member of Local_files
Now if a second Workgroup need access to the same files..
e.g. Global_Team23 - just make this workgroup a member of the same group Local_files. No need to add any new ACL's to any files, this is a big win when working with a large number of files.Typically each folder will need one ACL granting CHANGE permission to the Workgroup, and one ACL granting FULL Administrative access for running backups etc.
Advantages
- No duplication of file ACLs no matter how many teams are granted access to the folder - this reduces the size of the File Allocation Table - less fragmentation of the FAT will improve fileserver performance.
- Avoids the problem where an ACL change fails because the files are open/in use.
- You can see all permissions in Active Directory without having to search through
millions of file ACLs - this makes auditing easier.
Disadvantages
- Local Domain Workgroups are only visible within that domain
- Local Domain Workgroups contain the domain name - so require slightly more
storage in the SAM database.
“Of manners gentle, of affections mild; In wit a man, simplicity a child” - Alexander Pope
See also
Q271876 - Large Numbers of ACEs in ACLs Impair Directory Service Performance (slow logon times)
WorkGroups - Built-In Users and
Security Groups
Workgroups.ppt - The default Admin Workgroups
