An Administrator’s Nightmare or Easy Shortcuts.
Microsoft introduced special permission after the release of
Windows 2000. It is a representable view
of applying permissions to files and folders by allowing permission to be granted
to named groups in various permission levels.
At an individual level or in a small network special
permissions do not create known issues; however, in large organization the use
of special permissions create auditing and accountability issues as well as
security management issues.
The special permissions applied in certain areas and not a
standard. This permission applies to a group or a person as the owner
of a folder, folder tree and files. Being an owner of a folder does not grant
the person or group rights to the folder or files. It requires a proxy. In this
case the proxy is a named Windows builtin SID called Creator/Owner and the
permission is granted to it.
If an audit was to be performed, the actual permission as to
who has permission to what would be
become a nightmare to perform because the audit trail would use the permission
of creator\owner. And because multiple users or groups can be creator/owners
there would be no security accountability.
In a migration scenario regardless of tool set being used
(QUEST, Microsoft, ADUM) it would be impossible to maintain a co-existence
between 2 domains during migration because there can only be ONE owner.
Therefore any folder being accessed by special permissions can only be accessed
by one account from one domain at a time. In a large migration that involves
migration in incremental stages the special permissions scenario would not
grant rights to folders and files from multiple domains.
The Solution
ManageRED with ADUM 8.00 or higher, has developed a non-intrusive method
of providing coexistence from multiple domains whereby the special permission
limitation has been removed. All accounts either explicit or through ownership
are granted the same permissions to files and folders without destroying the original
permission.
This process is now incorporated into the latest update to
deal with the random use of special permissions throughout a network without user intervention or down time during the reACLing process.
Akos Sandor
Director, ManageRED Software
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.