Give one user access to ALL shares?

Discussion in 'Active Directory' started by David Naffy, Jan 26, 2009.

  1. David Naffy

    David Naffy Guest

    Hi there,
    We've had a requirement for a senior member of the company to have access to
    every single share we have on our Win2003 domain.
    We however have about 1000 shares and are creating new shares all the time.
    These are spread over 300+ servers.

    Being a domain admin has pretty much been ruled out.

    Is there anyway to achieve this without manually adding to all shares? I
    don't even want to script it to all shares either really as from an admin
    point of view it is too hard especially with new shares.

    Look forward to hearing your ideas.

    Thanks.
     
    David Naffy, Jan 26, 2009
    #1
    1. Advertisements

  2. The only solution I can think of is to revise the process for creating
    shares so you give permissions to a group. Make this person a member of the
    group. This doesn't help for your existing shares, of course, so a script
    granting permissions may be the only solution. The problem would be
    enumerating the shares.

    I'm sure you don't need to be told what follows, but the last people that
    should have such permissions are senior management. They should not be doing
    network admin work. From experience I have seen cases where senior
    management/owners have done damage, compromised security, created
    unnecessary work, etc.
     
    Richard Mueller [MVP], Jan 26, 2009
    #2
    1. Advertisements

  3. You probly have some kind of logical grouping of shares (Sales, Accounting,
    ect) and you probably have a Group that already can access all the shares in
    that "grouping",...therefore add this person to this group and its similar
    counterpart group in all the other "groupings". You could also create a
    Group to go "inside" these other groups and then put the person in it,..it
    would be easier to manage if the person in that position changed

    However this may violate certain Government Acts like Sarbanes-Oxley and
    other similar ones. So it may actually be illegal for you to do this,...so
    you may actually have to ask a lawyer. The days of high ranking company
    employees being "gods" is pretty much over,...the Government has gotten
    their fingers in the operation of companies now. The Government can be an
    IT person's friend (to "back up" IT's actions) or they can be your
    enemy,...you might want to keep them your friend.

    This stuff can get "fuzzy" sometimes is all I am saying,...


    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
     
    Phillip Windell, Jan 26, 2009
    #3
  4. JPolicelli [MVP-DS], Jan 26, 2009
    #4
  5. David Naffy

    David Nafty Guest

    Hi,
    Thanks for the replies so far. Just to clear it up it is a company owner
    that wants full access therefore we are fine to provide this but in a
    sensible way and one with the least admin now and in the future.
    I was kind of hoping of some kind of group policy that might achieve this
    but looks like it really would not???
    I think the groups would be manageable but due to the nature of the data the
    shares are often limited to single users and not very often to groups.
     
    David Nafty, Jan 26, 2009
    #5
  6. You still do it with groups,...even if it is only one person in the group.
    You should not grant permissions directly to user accounts for the very
    reason you are faced with such a problem.

    Your security "scheme" should be in place and functioning even if there are
    no "humans" anywhere because it should be all based against Groups (even if
    there is no one in the group). Then you just add/remove "humans" to/from
    the groups. You may very well have to diagram out (maybe even by hand) what
    the scheme should be like,...and then build it,...then work the "humans"
    into it.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Jan 26, 2009
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.