Permissions can be set on Files and Folders with CACLS
or XCACLS.
Permissions can be None, Read, Change or Full
'Full' being the same as 'Change'' plus the right to administer e.g. grant additional
users rights to read the file.
Permissions can be assigned to individual users or to groups.
If a user has no rights to the files in a folder the security tab in the GUI
will not appear (if you have no rights to even list the file names then you
have no rights to list the security attributes either.)
Ownership of a file will override all access permissions - administrators can
take ownership of any file. SUBINACL can change
ownership from the command line.
Newly created files will be owned by the account used to create them (unless
the account is an administrator).
There are 4 types of group: Local Machine, Local Domain, Global Domain, Universal
To create Local Users and Local Groups
Control Panel - admin tools - computer management - local users
and groups
( not available on a Domain Controller )
or from the command line... NET localgroup
To create Global Domain groups and Local Domain groups
Control Panel - admin tools - Active directory users and computers - Users
or from the command line... NET localgroup /domain NET group /domain
Best Practice
A recommended arrangement is to assign file/print permissions with one set of workgroups (Resources), and assign user/group membership with a separate set of workgroups (Teams), then assign rights by making each team workgroup a member of the relevant resource workgroup(s).
Advantages
- No duplication of file ACLs no matter how many teams are granted access to the folder - this reduces the size of the File Allocation Table - less fragmentation of the FAT will improve fileserver performance.
- Avoid problems where an ACL change fails because some files are open/in use, with this arrangement, most administrative changes can be made by adding and removing Users from Team Workgroups rather than editing ACL's on disk.
- You can view/audit all permissions in Active Directory without having to search through
millions of file ACLs - this makes auditing easier.
“Of manners gentle, of affections mild; In wit a man, simplicity a child” - Alexander Pope
See also
Groups - Local Domain groups, Global and Universal groups
Built-in Groups - Built-In Users and Security Groups
Q271876 - Large Numbers of ACEs in ACLs Impair Directory Service Performance (slow logon times)
Q909264 - Naming conventions in Active Directory for computers, domains, sites, and OUs
© Copyright SS64.com 1999-2013
Some rights reserved