An auditor will be visiting our office soon, and they will require read-only access to our data. I have already created a domain user account and placed them into a group called "Auditors".
We have a single fileserver (Windows Server 2008) with about ten shared folders. All of the shares are set up to allow full access to authenticated users, and access restrictions are implemented with NTFS ACL's. Most folders allow full access to the "Domain Users" group, but the auditor won't need to make any changes. It takes several hours to update NTFS ACL's since we have about one million files. Here are the options that I am currently considering.
- Create a "staff" group to assign read/write instead of "Domain Users" at the share level
- Create a "staff" group to assign read/write instead of "Domain Users" at the NTFS level
- Deny access to the "Auditors" group at the share level
- Deny access to the "Auditors" group at the NTFS level
- Accept the status quo and trust the auditor.
I will probably need to configure similar users in the future, as some of our contractors require a domain account but shouldn't be able to modify our client data. Is there a best practice for this?
Best Answer
Here is what I would do (all at the NTFS Level, leave your share permissions the way they are ):
You can do steps 4-6 in one shot so it's not multiple acl updates.
Now whenever someone needs R/O access all you have to do add them to the "ReadOnlyAccess" Group no need to update the acls in the future.