User wants to manage folder permissions

goinginblind · 2019-07-11T19:15:30.000Z

I have a client that is wondering if they can mange their own folder permissions on the network and inside I’m screaming “no”, but wanted to ask around to see if anyone has found a way to do this without granting unneeded access to AD and other server resources?

Thanks!

Gary-D-Williams · 2019-07-11T19:45:15.000Z

Sure - they can have delegated access to manage specific groups. There are also tools like AD Manage that can help with this.

https://www.techveze.com/delegating-the-management-of-group-membership/

tb33t · 2019-07-11T20:03:09.000Z

Maybe just for their own folder. But with great power comes great responsibility.

goinginblind · 2019-07-12T01:03:17.000Z

I’ve limited an AD group to one user once before and that worked pretty well, but have not had some request to manage folder permissions. Not just create/edit/delete security groups, but also define permissions for individual folders. I guess they would just need to have full control at the root level?

adrian_ych · 2019-07-12T06:19:49.000Z

Never open this can of worms…Give the mouse a piece of cheese and he will want a glass of milk.

Shared folders are on file servers and servers should be maintained by Server administrators only.

Unless the user have very valid reasons which both the IP management and top management approves with Server administrators approval, then do proceed with a written confirmation and a written set of rules to the user (like no pirated software, no porn, no non-official matters and no discriminating data). Then certain share rules like backup operators must remain and “deny” must never be used.

As an administrator, you do not answer to the user nor your boss…you answer to the business.

general-tsao · 2019-07-12T11:28:26.000Z

If the client is asking to control their own data on their own network…I’m pretty sure you don’t have much of a choice but to allow it, however I would make sure that they understand what they are doing and the potential dangers involved with doing it improperly.

petermcmurray3785 · 2019-07-12T12:10:21.000Z

Can’t you just give them full NTFS permissions on a folder by folder basis? Most folders shared on my network is managed via NTFS permissions rather than sharing permissions, and it’s a fairly flexible and versatile method, particularly when combined with Access-Based Enumeration. I have to admit my user base is much too techno-indifferent to want to learn how to do anything like this, but the benefit is that the user can be a full access or even owner of a folder without having any special rights or privileges to the file server or on AD.

kennethcollins · 2019-07-12T19:33:54.000Z

Thing is if the client is paying to you provide support, your only real option is to give them what they’re asking for. However, you would be remiss if you didn’t advise them of the potential hazards of providing that access if they happen to incorrectly apply settings in the system and what it could potentially cost them on the bottom line if they break it.

goinginblind · 2019-07-13T02:09:55.000Z

Thanks all. I could easily make this person have full access over this one share so they could manage subfolders, but my concern was them having to do this with AD access to groups. I can’t imagine having to add 50 names to a folder for new access without a group, but maybe there’s another way?

alexfogerty · 2019-07-14T18:51:24.000Z

Security Groups in AD.