NT Permissions

NT Syntax : Permissions

NT permissions can be set on Files and Folders with CACLS or XCACLS.

Permissions can be None, Read, Change or Full
(Full being the same as Change plus the right to administer e.g. grant additional users rights to read the file)

Permissions can be assigned to individual users or to entire NT workgroups:
There are 3 types of NT workgroup:

- Local Machine Workgroup
- Local Domain WorkGroup
- Global Domain WorkGroup

To create Local Users and Local Groups

Control Panel - admin tools - computer management - local users and groups
( not available on a Domain Controller )

or from the command line...
NET localgroup
(Under NT 4 run Musrmgr.exe)

To create Global Domain WorkGroups and Local Domain WorkGroups

Control Panel - admin tools - Active directory users and computers - Users

or from the command line...
NET localgroup /domain
NET group /domain
(Under NT 4 run usrmgr.exe)

Local Machine workgroups
A Local Machine User can join a Local Machine workgroup.
A Local Domain WorkGroup cannot join a Local Machine workgroup.
A Global Domain WorkGroup can join a Local Machine workgroup.

Local Domain workgroups
A Global Domain WorkGroup can join a Local Domain workgroup.
A Local Domain WorkGroup cannot join another Local Domain WorkGroup.

Global Domain Workgroups
A Domain User can join a Global Domain Workgroup.
A Global Domain WorkGroup cannot join another Global Domain Workgroup.

From the above restrictions - it's found that a good arrangement is to assign users to a GLOBAL workgroup, assign ACLs to a Local Domain workgroup, and then assign rights by adding the GLOBAL workgroup to the Local Domain workgroup.

e.g. Files are stored in
\\server1\General Ledger
\\server2\Purchase Ledger

Create a Local Domain workgroup LG_Ledgers - give this group CHANGE permissions on both servers.
Create a GLOBAL workgroup GG_Ledger_Team - add this group to LG_Ledgers.

Now if a second Global Domain Workgroup need access to the same files..
e.g. GG_Finance - just add this group to LG_Ledgers.

The advantage of this arrangement is that you can see all permissions without having to search for and look at file ACLs.

The disadvantage is that LOCAL Domain Workgroups contain the domain name - so require slightly more storage in the SAM database. Also in a multi-domain network, local domain workgroups are only visible in one domain.

Simon Sheppard
SS64.com