Easiest NTFS permission structure

Question

Hi,

I have a number of applications which have discrete groups of users and discrete document sets (general docs and certificates).

Each application has the same setup: there are two AD groups of users (Internals-Appn and Guests-Appn) and I'm trying to setup a file share structure that will take minimal future maintenance.

Most users of an app will need access to the Certificates folder for that app, while Guests will not. At the same time, all users of the app will need to access to the shared doc pool for the app.

So I'm thinking that the following would be good, because it would minimize the number of maintenance points (the green text is the AD Group with permission to read/write at that level and below). But it would mean that no users apart from Admins would be enabled at the top level to make it work - is that possible? Or desirable?

Thanks,
Jack

Answer 1

Hi,
From the information you mentioned , all the folders ,APPS, documents, certificates are under the shared folder, right?

Since you just mentioned the NTFS permission, before going further, we need to confirm the difference between share permission and the NTFS permission.
The NTFS permission, determines who can access a file or folder and what level of access can be made to the resources, both across the network and locally.
When there is a conflict between Share and NTFS permissions, the most restrictive permission applies.
Following link for your reference:
https://blog.foldersecurityviewer.com/7-best-practices-in-managing-ntfs-permission/

This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.

For your situation:

The Guest account is automatically enabled in older OS, and it is part of the “Everyone” group. This creates a problem because whatever access is given to “Everyone”, Guests inherits it.
For now , the Everyone SID is removed from the token that is created for anonymous connections by default.
You 'd better confirm this policy is Disabled: Let Everyone permissions apply to anonymous users under Computer Configuration\Windows Settings\Security Settings\Local Polices\Security Options
Or the Guest-App1 will inherit the permission assigned to Everyone.

Best Regards,

Answer 2

Hi Fan,
Thanks but I didn't realise there was a built-in Guest account, and I am not considering using it for external users. External Users for an app will belong to an AD group called External-App1 - users will have their own login and will be added explicitly to this account. External Users are the same as Internal Users in every way except that they must not have access to the Certificates folder.

So I'll reword my question below with changes in **bold **:

Each application has the same setup: there are two AD groups of users (Internals-Appn and Externals-Appn) and I'm trying to setup a file share structure that will take minimal future maintenance.

Most users of an app (Internals) will need access to the Certificates folder for that app, while Externals will not. At the same time, all users of the app will need to access to the shared doc pool for the app.

So I'm thinking that the following would be good, because it would minimize the number of maintenance points (the green text is the AD Group with permission to read/write at that level and below).

But would it mean that Externals must not inherit permissions from above? Is this undesirable?