1

Overview

We have been working in our new environment for a couple of months now and everything works just great. The only problem is management. We have multiple departments, multiple companies, multiple locations/offices, etc. and find it challenging to manage the spaghetti that currently exists.

System Information

Operating System: Windows Server 2016

The following relates to two machines (eventually in High Availability)

  • Domain Controller (GPO, Active Directory)
  • Storage Server (DFS)

Structure

We map a drive to our users that connects to a DFS.
The DFS has a bunch of subfolders, which, in turn, have more subfolders. The structure looks similar to the following:

Shares
├── Systems
|   ├── System1
|   ├── System2
├── Users
|   ├── Accounting
|   |   ├── Company1
|   |   |   ├── Office1
|   |   |   ├── Office2
|   |   ├── Company2
|   |   |   ├── Office1
|   |   |   ├── Office2
|   ├── General
|   |   ├── Company1
|   |   |   ├── Office1
|   |   |   ├── Office2

We have multiple Security Groups, such as the following:

Accounting
Company1
Company2
Office1
Office2

Issue

We cannot figure out how we can apply some sort of Item-level targeting at the folder level to ensure proper access.

For example:

User1 belongs to the following groups:

Accounting
Company1
Office1

User2 belongs to the following groups:

Accounting
Company1
Office2

Logically, the following should be our setup:

  • User1 should only have access to \\example.com\Shares\Users\Accounting\Company1\Office1
  • User2 should only have access to \\example.com\Shares\Users\Accounting\Company1\Office2

Unfortunately, this problem exists on a much larger scale when you add multiple departments (some of which may overlap), and the possibility of title/departmental role (such as Manager who should have access to management-level documents for their respective departments).

Additionally

We would prefer to hide any folders that users don't have access to. In the example above, for example, User2 would not even know about the existence of \\example.com\Shares\Users\Accounting\Company1\Office1 since the user doesn't belong to the respective security groups

We would like to be able to apply some security groups according to the OU the user is placed in. Our current OU structure resembles the following (which closely matches some security groups such as Company or Office).

Example OU structure

Users
    Company1
        Office1
            User1
        Office2
            User2

The above configuration (untested as of now) should theoretically work for things such as printer assignment, where we could add even a Floor to each Office if desired and group users by floor to assign default printers, secondary printers, etc.

Questions

  1. How can we ensure that our structure works with folder permissions as it would theoretically with printer assignment (i.e. item-level targeting)?
  2. How can we automatically assign Security Groups to users under specific Organizational Units?
  3. If some of the above are not possible, how can we ensure ease-of-use for our users, while increasing IT productivity, and improve file management and, consequently, user management?
ctwheels
  • 201
  • 2
  • 4
  • I hate sharepoint but it might be your best choice. – Tim Brigham Oct 04 '17 at 21:19
  • @TimBrigham Nope, nuhuh no SharePoint no thank you :/ Is that really our only option? – ctwheels Oct 04 '17 at 21:23
  • 2
    Not to rain on your exhaustive and well written question, but item level targeting doesn't have anything to do with ensuring proper access to the folders. Access to the folders is determined by the combination of share and NTFS permissions. Item level targeting merely allows you to target GPP settings based on criteria that you select for the item level targeting. As for "hiding" folders from users who don't have access to said folders, enable Access Based Enumeration on your shares, which is specifically and exactly the purpose of ABE. – joeqwerty Oct 04 '17 at 22:31
  • @joeqwerty Thank you for your response. I know item level targeting isn't related to folder access, but it does explain what I'm trying to do in simple terms without convoluting the question's title with `Folder permissions conditional for user in 2 groups, not just 1`. I find the title might help future users find it if they've done research about possible solutions first and find that item-level targeting does everything they want, but not for folders. I'll definitely look into ABE, thanks! – ctwheels Oct 05 '17 at 15:15
  • If I've understood correctly you can achieve what you need by to disabling inheritance of NTFS permissions at the Office1/Office2 level and set the explicit permissions you want there. As for dynamic group memberships it would be a nice feature but last time I researched this it wasn't possible. – martin81 Oct 07 '17 at 15:20

1 Answers1

0

I think your folder structure is right on, you'll just have a tedious job of initially setting up permissions. And hope to all, that you never have to re-propagate from the top down.

First, at a share level, enable "access based enumeration". This will hide folders users don't have permissions to.

As for the folders a few things:

With NTFS ACL you can control inheritance by setting the ACL to "this folder only". So if you're trying to prevent User2 from seeing office 1, it's simple. Set the folder permissions to this folder only.

For example: Company one = company 1 group, read only, this folder only Office 1 = office 1 group, read only, this folder only User 1 = user 1 group, modify (or whatever), default propagation

As for your manager, just make them part of both offices, no biggie, they'll see both.

NOW for the problem you're not anticipating, what happens when manager MOVES file 1 from office 1 to office 2? That file by default is going to have the same permissions as the source folder. (moves in the SAME NTFS volume = keep permission of source location). The way to override that is set a client setting (desktop side) that instructs windows to turn a "move" operation into a copy + delete source operation.

Now, what I did at my last company, is I had a policy of NTFS permissions at the root sub-folder only, I NEVER nested permissions. Meaning...

Root\folder 1 Root\folder 2 Root\folder 3

So I would only apply the perms at folder 1, 2 and 3 and never below. Makes re-propagating permissions easier

Then just use a naming scheme, like

Root\cmp1_ofc1 Root\cmp2_ofc2

This has the added benefit that a user will see all folders they have access to at the root. If a department needed to collaborate on a subfolder of say...

Root\cmp2_ofc2\2017

I would tell them, move it to the top and do something like

root\cmp2_ofc2_2017

...and grant the given permissions there for both parties to access.

Hope that helps.

Eric C. Singer
  • 2,329
  • 16
  • 17