|
-
January 18th, 2008, 01:22 AM
#1
permissions should be part of the planning process, but you must consider the GROUP set up as well. If you get the groups wrong, then no amount of tweaking permissions will help
when setting up group strategy remember AGULP
(A)ccounts can be members of-
(G)lobal Groups can be members of-
(U)niversal groups can be members of -
(L)ocal or Domain Local Groups have -
(P)ermissions assigned to them
you can nest groups to ease administration, but only in one way, Universal can NEVER go into a Global Group
Global groups would be the choice for people with the same job function, such as HR / Sales [MAX of 5000 per group, if more  create additional groups.
Universal Groups are used to combine similar Global groups from different domains.
Use Group Policy to restrict users, apply these permissions to the local / domain local groups
RSoP = Resultant Set of Policy
Tool to quickly determine the outcome of your applied permissions and group policies
Now, permissions 
NTFS – set against groups, add all permissions, LEAST restrictive is what you get
File permissions override Folder permissions :-
Normally folder permissions will propagate down to child objects, if this is NOT true, file permissions will override
Permissions are cumulative :-
If a user is in a group with read permission and a group with write permission, they will have read AND write.
Deny permissions take precedence over Allow permissions :-
Explicit deny permission will always ‘beat’ any other permission [explicit, as in that specific user has a deny access to a particular folder, that’s the end of the permission for him] if a group he is in has a deny set against them, then again he will lose all permissions given via other groups, should the deny be set higher, then an explicit allow will override that.
Effective Permissions
Quick check on effective NTFS permissions for user / group on a particular resource, by clicking on the effective permissions tab :doh:
Share Permissions
Set against a resource, again cumulative, add them up, LEAST restrictive is set
When you have GROUPS accessing SHARED resources the following is used
Add all NTFS permissions – least restrictive is set
Add all share permissions – least restrictive is set
Then take the most restrictive of the two sets
Deny access overrides all(unless explicit access is granted)
And AK grab books on MCSA exams 70-290 and 70-291
also 70-270 for XP
read em well, it's all in there
and my head still hurts from the MCSE 2k3 exams
Last edited by foxyloxley; January 18th, 2008 at 01:24 AM.
so now I'm in my SIXTIES FFS
WTAF, how did that happen, so no more alterations to the sig, it will remain as is now
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone
Similar Threads
-
By cheyenne1212 in forum Miscellaneous Security Discussions
Replies: 7
Last Post: February 1st, 2012, 02:51 PM
-
By pwaring in forum Other Tutorials Forum
Replies: 60
Last Post: October 22nd, 2004, 09:15 PM
-
By Ennis in forum AntiOnline's General Chit Chat
Replies: 5
Last Post: December 27th, 2003, 05:28 PM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 1
Last Post: October 9th, 2002, 09:21 PM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 1
Last Post: October 2nd, 2002, 09:32 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote