Hey Spiceheads,
I’m in the process of moving things over to a new file server and the current folder structure is a nightmare. I need a little schooling on permissions.
My plan is to create a share for each division with the departments inside. This way the division head can have permissions over all departments in their division.
Division
Department
Management
Staff
Shared
Inside the department share will be a folder for staff and a folder for management, and a shared folder. I will create groups for staff and management and place users in the appropriate group.
I need some help getting these permissions set up correctly to where
-
All Users can only see their division/department shares
-
Management has full control over the management, staff, and shared folders
-
Staff has no access to the management folder, read/write access to the staff and shared folders
I can’t seem to make this work, staff can still get to/see other departments folders. I would love to get some input on this design and what the permissions should look like.
2 Spice ups
You need to disable inheritance and assign a specific security group for the department.
*Edit - I reread the question, my bad. You can assigned two groups at the department, Management and Users. Under Management folder, disable inheritance and remove the user group, leaving the management group.
1 Spice up
Enable Access Based Enumeration on the Shares. That will keep things a bit cleaner.
Give the Security groups (like Staff1, staff2, etc.) NTFS read/write permissions only on the folders they should have access to.
1 Spice up
grsl
(grsl)
4
I disagree. If you start with the most restrictive permissions and open things up in sub-folders you can leave inheritance on. Makes life easier. 
Correct. I’ve been managing my last two networks without Access Based Enumeration. Seems to be the easier way to go as I would agree with you.
