Domain Shares in Active Directory Question.

There are lots of shares on several servers across our domain with mixed share permissions, everyone-full control, domain users- full, domain admins, individual users-read only or no access etc.

Does anyone know if shares can be managed in AD the same way as security groups so that I can easily standardise permissions.

What i would like to do is set everything as Domain Users and Admins as Full Control and a restricted group read only or deny.

Anything to make my job easier

Ta

 

Not so much changing permissions of shares within active directory.

Your best bet would be to create security groups in AD and use these groups for access rather than individual users.

I wouldn't give anyone the full control option as they don't really require it. Domain admins have access to all files/shares by default anyway.

The hard part is that you will need to adjust the permissions of shares from the share rather than in AD. But you might also want to have a look at the NTFS permissions at the same time to make sure they don't contridict each other.

 

My first piece of advice is to never never never use an explicit 'deny' permission unless you absolutely have to. The 'deny' permission trumps everything else out there. I don't care if you are an enterprise admin. If somehow some obscure security group you are part of gets 'deny' permission, then you too are locked out.

Second, in the orgs I've worked in we just give "full control" on all file shares, and then use NTFS permissions to do the actual lockdown. It is way easier this way, and if you have your NT permissions setup correctly makes things a breeze.

 

Thanks for the replies. I pretty much understand what you have said about share and ntfs permissions and realise that all the shares around the domain need looking at and maybe tidying up.

There is just one single user that needs to be restricted from seeing some shares, a guest account set up for clients to access the internet, personal webmail etc, while still having the ability to send print jobs to the print server.

I just wondered if all the shares could be managed in bulk from active directory to make my job a little easier or will I have to look at all the server shares individually.

Ta

 

Unfortunately I am not aware of a streamlined way of doing this. I'll rack my brain though and see if I can come up with something.