Home | Operating Systems | Windows

NTFS Rights For Fun and Profit
Back to Microsoft Windows Section

Click here for this paper in Microsoft Word format

White Paper

NFTS Rights

For Fun and Profit

Author: Kevin Flanagan


August 19, 2002

NFTS Rights

For Fun and Profit

How to Save Time and Money With A

Well Designed File Access Methodology

The majority of companies use Windows NT, Windows 2000, or a hybrid-computing environment that grew semi-organically rather than being thoroughly planned. One by-product of this migration is that over time permissions were granted to people as needed, causing non-standard (haphazard) application of permission schemes. Administrators come and go, and they learn better ways to do things bringing about a change in “the way things are done”. Junior administrators, at most companies, manage account creation and file permissions, which takes a company further from a solid, clean methodology for granting access to data. Most administrators know the official “Microsoft answer” — Apply Access Control Lists (ACLs) to objects (generally, directories or files). The ACL contains only Local Groups, which are members of Global Groups; users are members of the Global Groups. Few organizations have applied ACL permission schemes as standard practice.

It is proposed here, that time be taken to do one of two things: completely restructure file permissions, or start a new system that will greatly ease the tasks of managing permissions and save significant money for the company at the same time.

This is a daunting task for many environments, but one that is worth the effort. Consider the following factors and their value to the company.

  • Reduced time spent administering permissions
  • Reduced error rate in application of permissions
  • Reduced user frustration
  • Increased user productivity

When rolling out a new file server, or as a part of a Windows 2000 migration, restructuring the current file servers (as described below) will make the work easier, and save the company money.

Implementing the following items can save time (time = money) for systems administrators

  1. Define Boundaries Around Groups of Data – This is the most time consuming and tedious part of the job. Determine areas of responsibility, include the user community and the first line help desk individuals to define the boundaries. Only those individuals who deal with the data on a regular basis know who needs access to what data.
  2. Tools needed:
    • Dumpacls
    • Cacls
    • Xcacls
    These are tools from the Windows 2000 Resource Kit, freely downloadable from Microsoft. Using these tools, save the directory structure with ACL out to a file. Have the local staff that currently manage ACLs manually, look at the directory trees and associated ACLs to determine where the boundaries of data are. Organize the data by who needs access to it.
  3. Create Local Groups – Create Local Groups for the resource from a text file list of the group names (see Figure 1).

    REM: mklgrp.cmd – Creates local groups based on a text file
    For /F %%I in (I:\test\names.txt) do net localgroup /add %%I

    Figure 1. Text File List of Group Names

  4. Create Global Groups for User Accounts – Global Groups can be automated, in the same way as above, using the “Net Group” command on a domain controller.


In this example, there are two file servers, each with several shared directories, and each store user home directories.

C: - Operating System
E: - User home directories
		\sjones	– Shared as \\server1\sjones$
		\bsmith	– Shared as \\server1\bsmith$
F: - Shared data
	F:\files	– Shared as \\server1\files

The exception to the rule is user home directories, they should always have the same permissions.

System : Full Control
Administrators : Full Control
“Owner” : Change – This is one person only

If there is a need to share data it should be done on another share, never the user home directories.

Server named Server1
\receiving – Local Group named receiving
\shipping – Local Group named shipping
\accounting – Local Group named accounting
\engineering – Local Group named engineering
\users\financedata – Local Group named financedata
Server named Server2
\engineering – Local Group named engineering
\marketing – Local Group named marketing

After the access boundaries are set (in this example see above for Groups), create Global Groups made up of 3 parts:

Server abbreviation:
Server1 becomes S01

Name of the Local Group on the server where the resource resides.

Type of access granted (recommendation – 3):

  • Read Only = RO – Read permission
  • Read Write = RW – Change permission
  • Special Access = SA – List permission

Global Groups would be named:

  • S01shippingRO
  • S01shippingRW
  • S01shippingSA
  • S01engineeringRO
  • S01engineeringRW
  • S01engineeringSA
  • Etc.

Know who is the “business owner” of the data, and maintain that order to verify if a person should have access to the directory in question. If so, should the permission be Read Only or Read Write.

Use the command line tools, Cacls or Xcacls to apply these permissions. Do NOT use the GUI, unless it is to REPLACE all rights to all files, etc. under the one being worked on.

Once implemented, this structure shows what Global Group controls access to what resource and users can be added. Once a user is added to the group, the user logs off and back on and access is normal. Ensure that every new high level directory made receives the 3 groups created for both Local and Global Groups.

This structure has been applied with great success, saving of about 1 man-day per week off permission management in a company of about 3000 employees. The payoff is significant after the initial setup time. This may be the best time to implement projects like this. The projected slowdown in new projects may afford NT administrators to rework things they inherited or did before they learned a better way to do them.

Back to Microsoft Windows Section