|
|
NT Syntax : Permissions and Privileges
NT permissions can be set on Files and Folders with CACLS
or XCACLS.
Permissions can be None, Read, Change or Full
Full being the same as Change plus the right to administer e.g. grant additional
users rights to read the file.
Permissions can be assigned to individual users or to NT workgroups.
If a user has no rights to the files in a folder the security tab in the GUI
will not appear (if you have no rights to even list the file names then you
have no rights to list the security attributes either.)
Ownership of a file will override all access permissions - administrators can
take ownership of any file. SUBINACL can change
ownership from the command line.
Newly created files will be owned by the account used to create them (unless
the account is an administrator).
There are 3 types of NT workgroup:
- Local Machine Workgroup
- Local Domain WorkGroup
- Global Domain WorkGroup
With Active Directory in native mode you can add
- Universal Workgroup —visible throughout the entire enterprise.
Universal groups may include both other Universal groups, and global groups
from any domain in the enterprise.
Universal groups are expensive to use, so limit the number of these groups -
use only where it is necessary to create a group that spans one or more domains.
To create Local Users and Local Groups
Control Panel - admin tools - computer management - local users
and groups
( not available on a Domain Controller )
or from the command line... NET localgroup (Under NT 4 run Musrmgr.exe)
To create Global Domain WorkGroups and Local Domain WorkGroups
Control Panel - admin tools - Active directory users and computers
- Users
or from the command line... NET localgroup /domain NET group /domain
(Under NT 4 run usrmgr.exe)
Local Machine workgroups
A Local Machine User can join a Local Machine workgroup.
A Local Domain WorkGroup cannot join a Local Machine workgroup.
A Global Domain WorkGroup can join a Local Machine workgroup.
Local Domain workgroups
A Domain User can join a Global Domain Workgroup.
A Global Domain WorkGroup can join a Local Domain workgroup.
A Local Domain WorkGroup cannot join another Local Domain WorkGroup.
Global Domain Workgroups
A Domain User can join a Global Domain Workgroup.
A Global Domain WorkGroup cannot join another Global Domain Workgroup.
From the above restrictions - it's found that a good arrangement is to assign
users to a GLOBAL workgroup, assign ACLs to a Local Domain workgroup, and then
assign rights by adding the GLOBAL workgroup to the Local Domain workgroup.
e.g. Files are stored in
\\server1\Purchasing
\\server2\Procurement
Create a Local Domain workgroup LDw_PurchaseTeamFiles - give this group
CHANGE permissions on both folders.
Create a GLOBAL workgroup GDw_PurchaseTeam - add this group to LDw_PurchaseTeamFiles
Now if a second Workgroup need access to the same files..
e.g. GDw_FinanceTeam - just add this group to LDw_PurchaseTeamFiles.
Note that you don't have to figure out where the files are at this stage.
Advantages of this arrangement
- Only one workgroup ACL has to be applied to the files - this improves performance.
- You can see all permissions in AD without having to search for and look at
millions of file ACLs - this makes auditing easier.
- Local domain workgroups are only visible in one domain, in a multi-domain
network, this is most likely what you want.
The only disadvantage is that Local Domain Workgroups contain the domain name - so require slightly more storage in the SAM database.
See also
WorkGroups - Built-In Users and
Security Groups
Workgroups.ppt - The default Admin Workgroups
