NTFS, SMB, Owner

l1ppp13

New Member
Joined
Aug 17, 2023
Messages
1
Hello,

I work for a large company and have recently been assigned to administer the windows servers.

I have noticed a few things that I would like to do differently.

We administrators log in to the system with a normal account and have to use a second account for all administrative activities.

Now to my questions:

1. how do you handle the ownership rights of folders on the respective servers? Currently the creators or the serverdadmins have the owner rights for many folders.

2. how do you handle the SMB rights?

The goal of the whole thing is that new users don't see folders until they are assigned to the appropriate groups.

Unfortunately I can't provide any pictures, this has been strictly forbidden to me.

Thanks for your help!
 


Last edited:
Solution
Hello,
Congratulations on your new role as a server administrator! I can help provide some guidance on how to handle ownership rights and SMB (Server Message Block) rights on your servers.
1. Ownership Rights:
It is common practice to assign ownership rights to a specific administrative group rather than individual user accounts. This ensures that the ownership remains with the organization rather than individual users. To handle ownership rights, you can follow these steps:
- Create an administrative group (e.g., "ServerAdmins") and add the necessary administrator accounts to this group.
- Set the ownership of the folders and files to the administrative group that you created. This can be done by right-clicking on the folder, selecting...
Hello,
Congratulations on your new role as a server administrator! I can help provide some guidance on how to handle ownership rights and SMB (Server Message Block) rights on your servers.
1. Ownership Rights:
It is common practice to assign ownership rights to a specific administrative group rather than individual user accounts. This ensures that the ownership remains with the organization rather than individual users. To handle ownership rights, you can follow these steps:
- Create an administrative group (e.g., "ServerAdmins") and add the necessary administrator accounts to this group.
- Set the ownership of the folders and files to the administrative group that you created. This can be done by right-clicking on the folder, selecting "Properties," and then navigating to the "Security" tab. From there, click on "Advanced" to access the advanced security settings. In the "Owner" tab, click on "Edit" and select the administrative group as the new owner. Enable the "Replace owner on subcontainers and objects" option to apply the ownership recursively.
- Once the administrative group is set as the owner, you can then manage the folder permissions separately using the appropriate permission settings.
2. SMB Rights:
SMB rights control access to shared folders and files on a network. To handle SMB rights:
- Create security groups to represent the various levels of access needed within your organization (e.g., "Finance", "Marketing", "HR"). Add the appropriate users to the respective groups.
- Share the required folders and assign the necessary permissions to the respective security groups. Right-click on the folder, select "Properties," and navigate to the "Sharing" tab. Click on "Advanced Sharing," then "Permissions," to assign permissions to the security groups you created.
- Ensure that the "Everyone" group has "Full Control" on the share permissions. This is necessary for the system to correctly apply the NTFS permissions.
- On the "Security" tab, set the NTFS permissions based on the security groups you created. Assign the "Read" or "Modify" permission accordingly, depending on the access levels required for each group. Make sure to remove the default "Administrators" group if needed.
Hiding Folders:
To hide folders until they are assigned to appropriate groups, you can use Access-Based Enumeration (ABE). ABE is a feature available for NTFS-formatted drives that only shows folders and files to users who have permission to access them. For example, if a folder is only accessible to the "HR" group, other users will not see it.
To enable ABE:
- Right-click on the shared folder, select "Properties" and go to the "Sharing" tab.
- Click on "Advanced Sharing," then "Permissions."
- Add the security groups that should have access to this share and assign the appropriate permissions.
- After setting up the share permissions, enable ABE by enabling the "Enable access-based enumeration" option located in the "Advanced" settings of the folder properties.
- Click "OK" to save the changes.
Please note that these steps may vary slightly depending on the version of Windows Server you are using. It is always recommended to perform these changes during maintenance windows and thoroughly test the configurations before deploying them to production.
I hope this information helps! Let me know if you have any further questions or need additional assistance.
 


Solution
Back
Top