Correct algorithm for access control to user folders in AD?

A

AlexanderSuz2021-02-14 02:34:44

Active Directory

AlexanderSuz, 2021-02-14 02:34:44

Good day. Due to the fact that I'm still trying to figure out the confusion that I got, it is necessary at this stage to differentiate access rights.

AD will be raised on WinServer2019. All users will be transferred to the domain (now everything is without a domain). Accordingly, the question is how to differentiate access to certain user folders in different departments.

Example:

-Department1
--folder1
--folder2
-Department2
--folder1
--folder2
-Department3
--folder1
--folder2
....
-Department10
--folder1
--folder2

All departments have a folder1(well, or several) in which certain files are located that belong to these departments, but other departments should also use these folders / files.

But at the same time, in these departments there is another folder2 (well, or several), which should only be used within the department and other departments will not have access to these folders.

How to properly demarcate this in AD? Create a group / division for each department, select groups for the necessary folders when sharing folders, set rights and restrict read / write access?

Or is there some other way to do it better and faster?

I understand there should be a ball, but the specifics of the files and there will be confusion by departments. Therefore, the files are stored locally on the PC of the users. In the future, I'll come up with something different.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

N

nApoBo3, 2021-02-14
@nApoBo3

Folders are created not by departments, but by functions-roles.
You can create a separate folder for each department, since it is very difficult to write all the functions-roles within the department, but all folders used by several departments are made exactly according to the functional principle.
Example:
Departments Folder
..Sales Department Folder ..Accounting Folder
..Legal
Services
Folder Agreements Folder
..Supplier Agreement Folder
..Customer Agreement
Folder Folders are collected and mounted by users using DFS.
User rights are made according to the AGDLP model. For each access object (as an option, a folder, but it may not be a folder), an access group is created, which is a local domain group, rights are assigned to it. A global domain group is created for each business role. Users are included in global domain groups, global domain groups are included in local domain groups ( access groups ).
Example:
Sales department folder
Saledepread domain local group( read permissions to the sales department folder )
saledepwrite domain local group( write permissions to the sales department folder )
saledep global group ( included in the saledepread and saledepwrite local groups)
User Vasily Pupkin (included in the saledep global group).

V

Vladimir Korotenko, 2021-02-14
@firedragon

Create an OU for each department and within it a user group Administrators and Users
In accordance with the rights to add users there.
In addition, create the Administrators and Users groups for the entire organization
\\company\fileshare\Department 1\Folder 1 -
\\company\fileshare\Department 1\Folder 2 - reset permissions and add group Administrators Department 1 and Users Department 1

A

Alexey Dmitriev, 2021-02-14
@SignFinder

Here Description of the rights of security groups? I painted a simple structure of security groups for issuing rights, tied specifically to the folder structure.