How to restrict user access to other people's files and folders in the domain?

Korhoff2020-10-04 18:02:02

Active Directory

Korhoff, 2020-10-04 18:02:02

Good day to all)
I got a very important question at work ...
I will describe the essence:
There is a local network, there is a domain. Let's say in this domain there is a computer running several users who log in under domain accounts. One saved the file he created to disk D, after which another person who logged into this computer after him climbed onto disk D and deleted everything for him. Or the entire folder with documents. Is it possible to set such user rights so that the domain controller forbids users from deleting files and folders that they did not create. I know how to do it locally, but from my point of view, running to each computer is wrong, the policy should be assigned centrally. The file server cannot be made. Is there any way to set it up at all?
I would be extremely grateful for your help!

Answer the question

In order to leave comments, you need to log in

6 answer(s)

nApoBo3, 2020-10-04
@nApoBo3

For all folders in any way, only for certain ones.
The best option is to save files to your profile, only the user and the administrator have access to it (well, and everyone else who has forgotten himself from external media)

sanglyb, 2020-10-08
@sanglyb

You can change permissions on folders and files through group policies - https://www.lepide.com/how-to/assign-permissions-t...
There you can set something like this:

I.e. we disable inheritance, leave users only read and change permission and apply only to this folder. We remove those who passed the test. And we give the creator-owner full access to subpacks and files in subfolders.
Those. a folder must be created on the D drive, to which the policy with the rights as in the screenshots will be applied. It turns out that users will be able to create their own folders in this folder, access to which will be only for the one who created the folder. Users will not be able to delete other people's folders, as well as the contents, tk. will not be able to enter folders that were not created by them.
But IMHO, it's better not to do this, because. such clumsy decisions create a mess, disgrace, and ultimately, sooner or later, become a nightmare for administrators. It’s better to make at least some kind of file server from the old computer (the main thing is to back up more often)

Dimonchik, 2020-10-04
@dimonchik2013

user account control and kick users out of local admins on computers where they do this

CityCat4, 2020-10-05
@CityCat4

In a local area network with a domain, files should be stored centrally. This is one of the axioms that are usually not discussed - everyone does it. Centrally, you can write your own script that will do what you need.
And of course, users should not have local amine rights.

ComodoHacker, 2020-10-05
@ComodoHacker

Allow users to create their files only in their profiles. Other users are denied access there.

fpir, 2020-10-08
@fpir

No problem, create a folder on the disk d with usernames. Tell users - who will create a file not in their folder - SSZB. Set the rights to folders for users, for example, for all users of the domain reading, for the owner full access. Change the owner of the folder from yourself (you created) to the user. Or set full access to the one whose folder is read by the rest, leave yourself the owner. This makes sense - a person quits - it will be easier for you to delete.