shared Folder permissions - No Read/Write Access for Admins

Discussion in 'Active Directory' started by AE, Jun 26, 2007.

  1. AE

    AE Guest

    Hi all,

    I manage a network in a hospital (ie. lots of security and patient privacy
    issues)

    I setup a shared drive on a Win2003 machine, and granted Full access only to
    doctors.
    Administrators are excluded.

    The problem occurs when one doctor is being replaced, how can I add the new
    doc to the list while I do not have any permissions for the folder. Is there
    a way to keep this priviledge for admins and taking out the read/write
    permissions?

    fyi: We are running AD on a Win2003 SBS server. All our machines are xp.

    Thank you,
    ~ae
     
    AE, Jun 26, 2007
    #1
    1. Advertisements

  2. AE

    Ryan Hanisco Guest

    AE,

    In order to make changes ont his file, you will need to take ownerwhip of
    the file and temporarilly grant the managing account permissions over the
    file or folder.

    Directions:
    http://technet2.microsoft.com/windo...d1d9-4d16-93c5-7326aa1f33791033.mspx?mfr=true

    As a better solution, you might want to give a group of administrators only
    the read permissions and change permissions under the special permissions
    tab. This will let this group to manage the permissions while never having
    rights to access the files. If you also deny this group the take ownership
    right, then you will have effectively created a group that can manage the
    permissions but never access. You will still need to allow the system and
    full admin the ability to take ownership should there be a problem -- but you
    never use the actualy full admin for anything... RIGHT?

    http://technet2.microsoft.com/windo...421a-4f2c-b259-107a8ac019081033.mspx?mfr=true

    Hope this helps,
    --
    Ryan Hanisco
    MCSE, MCTS: SQL 2005, Project+
    Chicago, IL

    Remember: Marking helpful answers helps everyone find the info they need
    quickly.
     
    Ryan Hanisco, Jun 26, 2007
    #2
    1. Advertisements

  3. AE

    Jorge Silva Guest

    Hi
    I don't see any point by taking away the administrators of that folder
    because they can (if they want) at any time to take ownership of the
    folder/file and do what they want to do.
    Anyway, you could delegate that task to someone that has permissions to that
    folder so he/she caould add the new Dr.
    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, Jun 27, 2007
    #3
  4. AE

    Ryan Hanisco Guest

    Jorge,

    You're absolutely right. But I disagree in certain circumstances.

    In a perfect world, users would only have the rights granted that they
    needed and even administrators wouldn't have "administrator" accounts.

    A lot of copmpanies, as you know, give full admin priveleges to all of their
    admins, or even worse, all use the "Administrator" user account. In an
    industry that is highly regulated and under HIPAA, SAS, or SOX, you want to
    take reasonable precautions from allowing users to browse patient data or
    financial records.

    While administrators could certainly take permissions, removing the
    temptation of just brouse data can go a long way and provide an audit trail
    of intent as taking ownership is a deliberate action whereas a permissions
    reset could be construed as an accident or inheritance problem.

    Finally, in my response, I was trying to come up with a way to have this
    level of accountability while still allowing a specific group of admins to
    manage the permissions without taininting them with potential access of the
    data.

    I hope this explains better.
    --
    Ryan Hanisco
    MCSE, MCTS: SQL 2005, Project+
    Chicago, IL

    Remember: Marking helpful answers helps everyone find the info they need
    quickly.
     
    Ryan Hanisco, Jun 27, 2007
    #4
  5. AE

    Jorge Silva Guest

    I believe that creating a security group and give that group the right to
    "change permissions" on the Folder/files will be enough.
    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, Jun 27, 2007
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.