Manage Learn to apply best practices and optimize your operations.

Setting NTFS and share permissions best practices

I'm seeking "best practice" advice for the reasonable setting of NTFS and share permissions for the HOME CATALOGs of each %USERNAME% on the common fileserver within AD. Is the following scheme good?

  1. The Catalog, containing all home users catalogs, does not inherit from the parent volume, but in its turn permits for all child objects full access for the local admin group of this server (to allow further administering in critical conditions).

  2. In addition to that, each inner home catalog has MODIFY rights only for the corresponding %USERNAME% and full control for the CREATOR OWNER.

  3. Each home catalog is shared separately as %USERNAME%$ with CHANGE or FULL CONTROL for only user himself.

Does this scheme allow "sufficient minimum" of rights, security and manageability? Can you comment?

This solution appears to be well planned and sufficient for management and security. Note however that 'Create Owner' will always end up being the local administrators' group. This is a feature of Windows 2000.

Dig Deeper on Windows systems and network management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.