0

My organization has several network shares, and permissions to all folders are strictly through security groups. Users are not to be added individually to folders. Despite this, we come across folders for which the only entities that have access are users. No security groups, even the Administrators are removed.

After researching/testing myself, I found out that this is based on the fact that if you create a folder, you can modify the rights to it, even if you only have read/write permissions to the folder you created your folder in.

My question is, how do I stop this behavior? Users don't listen (as evidenced by the fact that it has been put out there to not do this multiple times in the past), and manually going through all four or five network shares we have, with all of their different organization directories and office subdirectories, might not be an entirely efficient solution. Is there an easier way?

Xerphi
  • 21
  • 1
  • This is usually symptomatic of users not having the ability to securely share files. Consider enabling I'm in the environment. – Jim B Apr 19 '18 at 18:43
  • There are very simple (if not mildly cumbersome) methods around this, though. While we disallow users being added to a folder individually, we have no problem if a user asks to have a folder be locked down to only one security group that only they are a part of. This being because it is then easier to add/remove users on a larger scale than with individuals on the folder. It may be silly, but it's policy. Also, consider enabling what? – Xerphi Apr 19 '18 at 19:21
  • It should have said IRM (gotta love autocorrect). Users shouldn't have to ask for groups (in fact that's exactly what the "groups " part of o365 handles. – Jim B Apr 20 '18 at 01:06
  • I'm not sure I understand your meaning, but in any case, I don't believe IRM would help. In most cases where users make folders and remove Administrators from the permissions, their intent is to lock the folder down to only themselves, to store documents in a personal, "only I can use this" fashion - this is against organization policy. In cases where there are multiple users, it's generally been CSLs engaging in poor practices. Security groups are used to manage access, instead. Is it easy? No. Does it make a lot of sense? Not all the time. But it's just what we have to do. – Xerphi Apr 20 '18 at 14:46

0 Answers0