A couple "Standard Practice" questions

  • Thread starter Thread starter JohnB
  • Start date Start date
J

JohnB

sorry, this isn't really AD, but this group gets a lot of users so I thought
I'd get some good answers.

I work in an IT department at a manufacturing company, and our users create
a tremendous number of folders and sub-folders... between all the CAD
drawings, and the usual Word and Excel files.
Two questions on this:

1. I'm a proponent of making good use of sub-folders to organize info. I
don't like to see a ton of folders on the root of a file server. There are
pros and cons of both ways. Permissions can get pretty tricky, when you get
a very deep folder tree, and users (like ours) really like to limit, all
over the place, read or write access - per folder and even per file(s).
What do most do... keep a flat-ish structure, or make good use of
sub-folders?

2. With a lot of sub-folders and nick picky managers and users, wanting to
really control access, permissions can be a nightmare for us. We've begun
creating Groups in AD that are named after folders, one for read and one for
write, i.e. SubFolder12_Read & SubFolder12_Write. This is bringing some
sanity back to permissions, but I can foresee tons of groups in AD with this
method.
How do you handle this problem?
thanks,
John
 
-----Original Message-----
sorry, this isn't really AD, but this group gets a lot of users so I thought
I'd get some good answers.

I work in an IT department at a manufacturing company, and our users create
a tremendous number of folders and sub-folders... between all the CAD
drawings, and the usual Word and Excel files.
Two questions on this:

1. I'm a proponent of making good use of sub-folders to organize info. I
don't like to see a ton of folders on the root of a file server. There are
pros and cons of both ways. Permissions can get pretty tricky, when you get
a very deep folder tree, and users (like ours) really like to limit, all
over the place, read or write access - per folder and even per file(s).
What do most do... keep a flat-ish structure, or make good use of
sub-folders?

2. With a lot of sub-folders and nick picky managers and users, wanting to
really control access, permissions can be a nightmare for us. We've begun
creating Groups in AD that are named after folders, one for read and one for
write, i.e. SubFolder12_Read & SubFolder12_Write. This is bringing some
sanity back to permissions, but I can foresee tons of groups in AD with this
method.
How do you handle this problem?
thanks,
John


.
Click to expand...
John,

First off, I would use Local Security Groups to apply
permissions to the folder / sub-folders. Simply make use
of existing Universal Groups / Global Groups to stick in
the Local Security Groups.

I would also suggest that you give special permissions to
the so-called root folders. Definition being: you have a
folder ( called PUBLIC ) and you do not allow users to
create folders directly in that folder. So, if BillyBob
wants to create a folder called NASCAR directly inside of
the PUBLIC folder he can not. You would have to do
that. However, once NASCAR is created BillyBob can
create a million folders / files inside that. Hint on
doing this: use the "To this Folder only" for the "read"
permissions and the "To Subfolders and Files Only" for
the "write" permissions.

Never give users Full Control over anything. Never give
users "Change Permissions" to anything. You might think
that it is a pain to have to create folders for the users
but that is far less of a pain than the alternative.

HTH,

Cary
 
Back
Top