I'm looking for best practices around share files and there NTFS permissions.
I'm upgrading servers from SBS 2003 to Server 2012 Standard and thought this would be a good opportunity to do our security groups and NTFS/Share permissions correctly.
1, Should SYSTEM always be in the NTFS permissions with full access? I assume this is needed for backups, or would a different user be used for backups.
2, So far I have SYSTEM, Administrator (from the domain), Administrator (Local account) all with with full access.
3, Should I have CREATOR OWNER in here?
4, Once I have these base security groups/users setup for the drive I would start setting up the shares with each security group in both NTFS permissions and Share permissions, is this correct?
Best Answer
System is not required for backups. Accounts with the "Backup files and directories" privilege can bypass file system security.
Creator Owner is typically used to confer specific permissions to the users that create files. For example, if you have a directory that allows users to create files, but not modify or delete, you can use Creator Owner to confer Modify permission to the files for the people that create them. If you dont need this or if it would be difficult for the users to understand, you probably should not use it.
I usually manage all permissions using NTFS, and set the share permission to full control. The exception would be if you want to make the share more restrictive, such as read only.