Currently I'm working with permissions on files on the network with Windows Server 2012 Active Directory as follows: I set up one domain controller, on the domain controller I create users and groups. After that, I select one folder to share, and in the sharing options I add everyone with read/write access (I do this because I was told that doing differently gives problems).
Then on subfolders, to restrict the access I go on the security tab of the folders properties and I add groups I want to deny access and deny read/write permissions.
That is fine, however, I'm finding this is not a good approach. Indeed if groups are constantly added and one folder is just meant to be accessed by one group, I'll always need to add the new ones and deny access to them.
One real life scenario on which this may occur is as follows: one company has folders for projects, each project has a certain subsets of the employees working on it. So they create one group for each project, and then on the project's folder only the group for that particular project should have access. If new projects are added, it will require to add the new group on every single project folder and this could be tedious.
So how can one deny access on files and folders more effectively without having to edit the security options when new groups are added?
Best Answer
Why are you using deny ACEs? You should be doing something like this:
And so on. You should not be using deny ACEs regularly. In the last 10 years, I can think of maybe 3 times when I've ever used a deny on an NTFS ACL.