Manage Learn to apply best practices and optimize your operations.

Setting NTFS and share permissions best practices

I'm seeking "best practice" advice for the reasonable setting of NTFS and share permissions for the HOME CATALOGs of each %USERNAME% on the common fileserver within AD. Is the following scheme good?

  1. The Catalog, containing all home users catalogs, does not inherit from the parent volume, but in its turn permits for all child objects full access for the local admin group of this server (to allow further administering in critical conditions).

  2. In addition to that, each inner home catalog has MODIFY rights only for the corresponding %USERNAME% and full control for the CREATOR OWNER.

  3. Each home catalog is shared separately as %USERNAME%$ with CHANGE or FULL CONTROL for only user himself.

Does this scheme allow "sufficient minimum" of rights, security and manageability? Can you comment?

This solution appears to be well planned and sufficient for management and security. Note however that 'Create Owner' will always end up being the local administrators' group. This is a feature of Windows 2000.
This was last published in September 2003

Dig Deeper on Microsoft Active Directory

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.