One thing you want to avoid doing is assigning users specific permissions
against a folder.
Say you have a folder FOO. You create two groups .. "FOO Read Write" and
"FOO Read only". Give the groups the appropriate permissions to the folder.
Typically, users are put into organizational groups (i.e. "Sales
Department") and the organizational groups put into the appropriate
permission group. You can put users directly into the permission groups,
but this is less common except for very unique exceptions.

This structure is setup for two primary reasons. One is that group
membership is quite visible while folder permissions are not very visible in
AD. The other is that the structure allows the permissions to not be lost
when users are changed or removed.

Hope this helps.

---------
Tom Jedrzejewicz
tomjedrz@xxxxxxxxxxxxxx


On Wed, Sep 23, 2009 at 1:36 PM, Jeff Crosby <jlcrosby@xxxxxxxxxxxxxxxx>wrote:

After a bit of studying and thought, it's making sense.

Thanks.

On Wed, Sep 23, 2009 at 4:21 PM, Lukas Beeler <
lukas.beeler@xxxxxxxxxxxxxxxx
wrote:

On Wed, Sep 23, 2009 at 22:02, Jeff Crosby <jlcrosby@xxxxxxxxxxxxxxxx>
wrote:
On the i I've always secured these with authorization lists (I love
authorization lists). I don't think Windows has the equivalent of
authorization lists. Is setting up Groups and assigning users to
Groups
the
generally accepted, correct way to do this in Windows?

A G DL P
http://en.wikipedia.org/wiki/AGDLP

Accounts Global DomainLocal Permissions

Basically, you use multiple Domain Local Groups to effectively set
permissions on files or folders. For each type of permission, you need
a single group. Then, Global Groups are members of the Domain Local
Groups (group nesting). Finally, the user account objects are members
in the Global Groups.

You can also add universal groups, but there's no need for that unless
you have multiple domains and thousands of users.

--
Read my blog at http://projectdream.org
--
This is the PC Technical Discussion for iSeries Users (PcTech) mailing
list
To post a message email: PcTech@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/pctech.




--
Jeff Crosby
UniPro FoodService/Dilgard
P.O. Box 13369
Ft. Wayne, IN 46868-3369
260-422-7531
www.dilgardfoods.com

The opinions expressed are my own and not necessarily the opinion of my
company. Unless I say so.
--
This is the PC Technical Discussion for iSeries Users (PcTech) mailing list
To post a message email: PcTech@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/pctech.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.