Somewhere within this folder we want to create a sub-folder that members of the IT-NonAdmins can READ ONLY. What about other IT users like humble IT help-desk technician? Surely they need access to some of the files within that folder at some point? Do we just create a second share for them, separate from the IT share? Well, yes and no.Įverything within the IT folder is modifiable by IT-Admins, including all sub-folders and files. Read through this article, then decide if that's something you need.Įverything within the IT share is now Readable, Writable, and Modifiable by members of the IT-Admins group. You may need to create additional groups based on the type of access you will grant (read&write but no delete, or no copy, etc.). The IT-NonAdmins group will contain members who only get read access (and in some cases write/modify) permissions to designated directories within the IT share. The IT-Admins group will contain members who need full or modify NTFS permissions on the IT share (which we will create in step 2). There's often no reason to be extremely granular with these services, so just add the top level group whose members are the lower level groups. The reasoning behind this is, if you want to use other network authentication services like RADIUS/TACACS or SSO, they often allow you to authenticate by group membership. The other two groups contain the user objects. The IT-Users group contains two members only: IT-Admins and IT-NonAdmins.
Within the IT OU, there are three groups:
Their Active Directory groups OU structure looks like so: StorageCraft is creating a share for its IT users. Because I work here, let's use StorageCraft as an example. You cannot effectively implement network shares according to any best practices without organized Active Directory groups.
0 kommentar(er)
