1

I have a Windows 2012 Server with file server role. I have users in my active directory which are defined by 3 things : country - service - role

I have about 10 countries, 10 services and 5 roles.

How can I grant access to a folder to users which belongs to multiple things ? For example, I want to grant access to a folder to every France - Logistics - Manager ; or to another folder to every US - Production - (any role)

I can create 700+ distinct groups, one for each combination, but is there a simpler way to do this ? Like allowing access to users which have such country AND such service AND such role ?

Thanks for any answers :)

[edit]

This is a new installation, I didn't create any user group yet.What I would like to do is create one group per country, one group per service and one group per role, for a total of 25 groups.

Then, for each user, I could set 1 country group, 1 service group and 1 role group, and i'd like to set my folder so that it's only accessible to users which belong to the group "France" AND the group "Logistics" AND the group "Manager" (for example).

I want to know what can be done and how it can be done before creating my groups.

Pierre Lebur
  • 11
  • 3
  • Are the France - Logistics - Manager all different user groups? – Roland Dec 07 '20 at 15:04
  • I edited the first post, I hope it's clearer. – Pierre Lebur Dec 07 '20 at 15:51
  • Ok. Then I suggest you to carefully plan all the usergroups you will need. If you create one group called France and grant read-permissions to a folder for that group, only members of that group can read it. If you are new to Active Directory then a good advice is to set up a test server so you can mess around and test out different configurations before you set up the server that you are going to use. Even if this isn't the most difficult thing, it is still way too advanced to be explained here how it works. https://www.dnsstuff.com/security-group-active-directory – Roland Dec 07 '20 at 16:20
  • Thanks for your answers. I will take an example to explain what I try to do : what groups would you create if you want to allow access to a folder to the users [based in France AND Manager], but deny access to the users that are [based in France and not manager], and also deny access to the users that are [manager but not based in France] ? – Pierre Lebur Dec 07 '20 at 17:40
  • 1
    Look into Dynamic Access Control. https://docs.microsoft.com/en-us/windows-server/identity/solution-guides/dynamic-access-control-overview – Greg Askew Dec 07 '20 at 18:12
  • That's exactly what I was searching for. I'll have to read a little more to learn how to configure it but I have my answer. Thanks a lot everyone! – Pierre Lebur Dec 08 '20 at 10:21

1 Answers1

0

Answer provided in the last comment : "Look into Dynamic Access Control. https://docs.microsoft.com/en-us/windows-server/identity/solution-guides/dynamic-access-control--scenario-overview "

Thanks!

Pierre Lebur
  • 11
  • 3