Adjusting permissions on ACL shares

Adjusting permissions on ACL shares

This page is intended for university system administrators.

General information about ACL Shares can be found at the following page.

Adjust permissions on folders

System administrators can adjust the NTFS permissions on the folders in an ACL share.
We recommend doing this as little as possible. Only do this when there is a need, for example if sensitive data in certain subfolders has to be protected.
Access to ACL shares is already limited, making it usually unnecessary to change permissions on folders in the share.
Customizing permissions on folders requires good planning and a thorough understanding of the complex possibilities that NTFS permissions offer.

For new shares, the 'Domain Users' group has full control permissions on the root of the share. Domain Users is a general group that everyone is a member of. However, access to the share itself is limited to certain users or groups. Users who do not have access to the share can of course not see the contents of the share.

Best practices

There are many options for setting the permissions on an ACL Share. The way in which the permissions are structured on a share depends on the specific needs.

Some best practices:

Example procedure

The following procedure is a fictional example for department 'XX99' with an ACL share 'XX99Share' and shows how permissions can be set based on Active Directory groups.

  1. Create role groups in Active Directory for the different teams of the department:
    - XX99.GGU.Secretariat
    - XX99.GGU.ResearchGroup1
    - XX99.GGU.ZAP
    To create groups in Active Directory you need an AD admin account ('Admin + login name').
    You can then create groups and manage the members via 'AD Users and Computers' on Athena.

    AD Groups OU

  2. Create a permission group with all users who need access to the share.
    - XX99.LGP.Share.XX99Share
    Ask the helpdesk to give this group access to the share.
  3. Create a permission group with all users who will have full control permissions on the share.
    - XX99.LGP.Share.XX99Share.FullControl
  4. Create a permission group for each subfolder in the root of the share.
    - XX99.LGP.Share.XX99Share.TestMap to access the subfolder 'TestMap'.
  5. Add role groups or users to these permission groups.
    For example, make role group 'XX99.GGU.ResearchGroup1' a member of permission group 'XX99.LGP.Share.XX99Share.TestMap'.
    Note: changes in group membership will only become effective from the next logon.
  6. Mount the share with an admin account:
    If the share is located on 'ACLfiler':
      net use l: \\aclfiler\XX99Share /u:ugent\Admin<login>
    If the share is located on 'Isilon': ACL shares:
      net use l: \\\XX99Share /u:ugent\Admin<login>
  7. Set permissions on the root of the share.
    The following commands ensure that users cannot create new folders in the root of the share.
      icacls "\\aclfiler\XX99Share" /grant "LGP.Share.XX99Share.FullControl":(OI)(CI)F
      icacls "\\aclfiler\XX99Share" /remove "UGent\Domain Users"
      icacls "\\aclfiler\XX99Share" /grant:r "UGent\Domain Users":(RX)
  8. Create the subfolders on the root of the share and give the corresponding AD group modify permissions:
      mkdir "\\aclfiler\XX99Share\TestMap"
      icacls "\\aclfiler\XX99Share\TestMap" /grant:r "UGent\XX99.LGP.Share.XX99Share.TestMap":(OI)(CI)M