Windows file server query
-
Of course there are reasons to use 2012... but I haven't seen the OP mention any in his case.
-
@jimmy9008 said in Windows file server query:
@vhinzsanchez
Yeah, that makes sense. Still doesnt mean the director needs to see how the ACLs are done (user/group) himself.
For example, i'd ask you to give, say, Karen, access to a share. You would go an do it. I'd not care how you do it. Thats your job to figure out.
I could ask you to report and audit for me who has access to what shares, and you would report it. I'd not need to login and check for myself... the Director has trust issues, otherwise you would do it how you see fit and report the permissions when asked.Have been called more than once when I implemented it. He would like to see who is the member of those group.
I've not changed the groupings so I can retain it in the shares tab (since he can not see the tab), but on the permissions tab, I need to individually key in the users.
-
@scottalanmiller said in Windows file server query:
Wait, what? You can't use VMware with IBM. That's literally impossible.
VMware is AMD64 only, IBM only makes Power.When I said newer, it was the later ones deployed but still old in some standards. About 2011 (the beefier one) and 2013 (the one with the 4GB RAM) consecutively. I was looking into provisioning a hyper-v for it for lower task servers which we do not have right now...those we can do without--more of IT stuff monitoring--and perhaps an additional DC.
-
@tim_g said in Windows file server query:
This doesn't make sense.
If someone wants to see who has access to a given share, then you show open up the group that has access, which shows all the members.
When you start granularly adding users to this folder that file here and there, there's no way at all to manage or audit that. You'd have to manually go through each and every folder and file properties to see who has permissions. That's got to be horrible!
For example, if you have a folder named \server\Accounting\invoices:
You:Create two groups in Active Directory:
ACL_Accounting Invoices_READ
ACL_Accounting Invoices_WRITEAssign ONLY those two groups with appropriate permissions to that "invoices" folder (in addition to the default permissions, admins group for example).
Then if your boss says, "hai who is permissions of invoices folder mang?"
Then you simply show the members of the above two groups. If someone new needs permissions, or needs permissions revoked, you simple add/remove them from one of those two groups.Got that. I also wanted to implement it badly as changing NTFS permission means I have to wait for the propagation to finish which could take a while depending on the folder size. If part of a group, no waiting.
They, the directors, usually work late out at night, some weekends and holidays. At times, usually the one which I have stated (brother of my direct boss), checks who has access to which folder.
I have gone into saying I can install a program which he can list all users and members of each group but he stopped me saying it takes extra steps for a simple task of checking who has access to that folder.
-
@tim_g said in Windows file server query:
No, it was originally a direct response to the OP, in the context of the OP, considering only what was in the OP. Had it contained circumstances that would justify the use of 2012, I would suggest as such. But it didn't, so no reason that I could find in the OP to use 2012.
Guys, from the context of my boss, it seems that she implies that 2016 is buggy and we would want to wait before upgrading. But it has been 2018 and has been patched several times and server 2019 is coming, so I think bringing in 2016 wouldn't be that hard the last time I tried.
-
@vhinzsanchez said in Windows file server query:
@scottalanmiller said in Windows file server query:
Wait, what? You can't use VMware with IBM. That's literally impossible.
VMware is AMD64 only, IBM only makes Power.When I said newer, it was the later ones deployed but still old in some standards. About 2011 (the beefier one) and 2013 (the one with the 4GB RAM) consecutively. I was looking into provisioning a hyper-v for it for lower task servers which we do not have right now...those we can do without--more of IT stuff monitoring--and perhaps an additional DC.
Oh okay, newer than really old, but quite old still. IBM has been all Power for some time now.
-
@vhinzsanchez said in Windows file server query:
@tim_g said in Windows file server query:
This doesn't make sense.
If someone wants to see who has access to a given share, then you show open up the group that has access, which shows all the members.
When you start granularly adding users to this folder that file here and there, there's no way at all to manage or audit that. You'd have to manually go through each and every folder and file properties to see who has permissions. That's got to be horrible!
For example, if you have a folder named \server\Accounting\invoices:
You:Create two groups in Active Directory:
ACL_Accounting Invoices_READ
ACL_Accounting Invoices_WRITEAssign ONLY those two groups with appropriate permissions to that "invoices" folder (in addition to the default permissions, admins group for example).
Then if your boss says, "hai who is permissions of invoices folder mang?"
Then you simply show the members of the above two groups. If someone new needs permissions, or needs permissions revoked, you simple add/remove them from one of those two groups.Got that. I also wanted to implement it badly as changing NTFS permission means I have to wait for the propagation to finish which could take a while depending on the folder size. If part of a group, no waiting.
They, the directors, usually work late out at night, some weekends and holidays. At times, usually the one which I have stated (brother of my direct boss), checks who has access to which folder.
I have gone into saying I can install a program which he can list all users and members of each group but he stopped me saying it takes extra steps for a simple task of checking who has access to that folder.
Seems that something like Netwrix must have something simpler to use. But I can see that if he is used to just using the Windows tools that learning something else seems silly. If all he's doing is auditing stuff, while odd, it seems fine.
-
@scottalanmiller said in Windows file server query:
Seems that something like Netwrix must have something simpler to use. But I can see that if he is used to just using the Windows tools that learning something else seems silly. If all he's doing is auditing stuff, while odd, it seems fine.
Not that odd, not normal for a boss to be seeing those small things but he is the one who is very particular to security of our files...I've learned to understand them and adjust.
-
@vhinzsanchez said in Windows file server query:
@scottalanmiller said in Windows file server query:
Seems that something like Netwrix must have something simpler to use. But I can see that if he is used to just using the Windows tools that learning something else seems silly. If all he's doing is auditing stuff, while odd, it seems fine.
Not that odd, not normal for a boss to be seeing those small things but he is the one who is very particular to security of our files...I've learned to understand them and adjust.
If he really wants security, maybe moving away from SMB shares would be ideal
Not that SMB can't be secured, but it is harder to lock down than more modern approaches. -
@scottalanmiller said in Windows file server query:
If he really wants security, maybe moving away from SMB shares would be ideal Not that SMB can't be secured, but it is harder to lock down than more modern approaches.
Its the way things are...I approached my direct boss and opened up DMS but she said she knows DMS and it is just an unnecessary cost/process (something as not just worth it) as we already have a working solution. If she sees that it may save atleast 35% of the process it will be worth investing into, but on her experience (she worked with IBM for quite some time and, as I can tell, she has been up that corporate ladder but am unsure how far--gaining experience, before leaving to take on our company). That's how we got in touch with VMWare, she directly contacted one of the regional heads and to schedule a meeting/presentation.
-
@vhinzsanchez said in Windows file server query:
That's how we got in touch with VMWare, she directly contacted one of the regional heads and to schedule a meeting/presentation.
She didn't learn much from IBM.
We definitely didn't turn to sales people when we needed to determine how to do things. That's totally the opposite of what IBM was like when I was there. We knew the tech, and only used what was needed.Maybe that's why she's not there any longer.
-
I think the original questions has been answered. Thanks a lot guys, but if you still have any ideas or would like to chime in, pls. do so.
Will still continue to use:
- Roaming Profiles
- Folder Redirection
More research if suitable:
- Offline Files - mostly suitable as we have been doing it -- proceed with caution?
- Access-Based Enumeration - good feature, have not heard of anything negative...yet
- Data Deduplication - Good to have, no problems here but others have horror stories -- test and proceed with caution.
good to have but on a single file server, doesn't make any sense
- DFS-Namespace
- DFS-Replication
Do not do it! Not enterprise ready or is inferior to VMWare VSAN:
- Storage Spaces
- Storage Spaces Direct
-
@vhinzsanchez said in Windows file server query:
I think the original questions has been answered. Thanks a lot guys, but if you still have any ideas or would like to chime in, pls. do so.
Will still continue to use:
- Roaming Profiles
- Folder Redirection
Those are generally fine.
-
@scottalanmiller said in Windows file server query:
She didn't learn much from IBM. We definitely didn't turn to sales people when we needed to determine how to do things. That's totally the opposite of what IBM was like when I was there. We knew the tech, and only used what was needed.
Maybe that's why she's not there any longer.She's more on Financial dept rather than Operational from what I heard.
-
@vhinzsanchez said in Windows file server query:
More research if suitable:
- Offline Files - mostly suitable as we have been doing it -- proceed with caution?
yes, often overkill and can be flaky.
-
@vhinzsanchez said in Windows file server query:
@scottalanmiller said in Windows file server query:
She didn't learn much from IBM. We definitely didn't turn to sales people when we needed to determine how to do things. That's totally the opposite of what IBM was like when I was there. We knew the tech, and only used what was needed.
Maybe that's why she's not there any longer.She's more on Financial dept rather than Operational from what I heard.
That actually makes it dramatically worse, not better. Finance, more than anyone, should know how business financial relationships work and never make a mistake of that nature. Pure IT people are often clueless as to how human interactions work and are sometimes excused for missing out on the dynamics.
-
@vhinzsanchez said in Windows file server query:
- Data Deduplication - Good to have, no problems here but others have horror stories -- test and proceed with caution.
I'd word that differently. more like...
Possibly good to have, but not normally. Generally isn't terrible, but rarely worth it.
-
@vhinzsanchez said in Windows file server query:
good to have but on a single file server, doesn't make any sense
- DFS-Namespace
- DFS-Replication
Definitely worthless in your scenario. but "good to have" isn't true. They have their place but it's not that common and they bring problems. Like dedupe, unless you have a specific need, you should be avoiding. They are there to fix problems, if you don't have those problems, you don't want them.
-
@scottalanmiller said in Windows file server query:
I'd word that differently. more like...
Possibly good to have, but not normally. Generally isn't terrible, but rarely worth it.Thanks, will keep that in mind.
-
@vhinzsanchez said in Windows file server query:
Do not do it! Not enterprise ready or is inferior to VMWare VSAN:
- Storage Spaces
- Storage Spaces Direct
This is true, but it's also important for broader decision making to keep in mind that they are also inferior to free solutions, as well.
