Windows file server query
-
@vhinzsanchez said in Windows file server query:
@black3dynamite said in Windows file server query:
Role-based access is the way to go. This site has a good example using role-based.
http://www.yster.org/role-based-access-control/Thanks @black3dynamite, one of our directors would want to see the names themselves when checking for ACL. If I am to keyin the group, he can not see each individual. What I'm doing is the group is for Share tab and individual accounts in Permissions tab.
This doesn't make sense.
If someone wants to see who has access to a given share, then you show open up the group that has access, which shows all the members.
When you start granularly adding users to this folder that file here and there, there's no way at all to manage or audit that. You'd have to manually go through each and every folder and file properties to see who has permissions. That's got to be horrible!
For example, if you have a folder named
\\server\Accounting\invoices
:
You:- Create two groups in Active Directory:
- ACL_Accounting Invoices_READ
- ACL_Accounting Invoices_WRITE
- Assign ONLY those two groups with appropriate permissions to that "invoices" folder (in addition to the default permissions, admins group for example).
Then if your boss says, "hai who is permissions of invoices folder mang?"
Then you simply show the members of the above two groups. If someone new needs permissions, or needs permissions revoked, you simple add/remove them from one of those two groups.
- Create two groups in Active Directory:
-
@tim_g said in Windows file server query:
You don't "restart a server on another host", you fail it over to another host, reverse replication, then turn it on.
And there are even simpler solutions where you just move it from host to host and don't need to do anything at all. Just tell it which host you want it on at the moment.
-
@scottalanmiller said in Windows file server query:
@tim_g said in Windows file server query:
You don't "restart a server on another host", you fail it over to another host, reverse replication, then turn it on.
And there are even simpler solutions where you just move it from host to host and don't need to do anything at all. Just tell it which host you want it on at the moment.
Such as Live Migration... no down time.
-
@tim_g said in Windows file server query:
@scottalanmiller said in Windows file server query:
@tim_g said in Windows file server query:
You don't "restart a server on another host", you fail it over to another host, reverse replication, then turn it on.
And there are even simpler solutions where you just move it from host to host and don't need to do anything at all. Just tell it which host you want it on at the moment.
Such as Live Migration... no down time.
Right, exactly. And it is free and included with every platform including Hyper-V, KVM, Xen, Scale HC3, etc., except one... VMware.
-
@tim_g said in Windows file server query:
@vhinzsanchez said in Windows file server query:
I will need to upgrade it to 2012 R2 or 2016 (our Director is against going directly to 2016 as it may have bugs….I am for using the latest and greatest but then again, its her call—anyways, server 2018 is just around the corner )
This is extremely foolish to not go to Server 2016, especially while 2012 R2 is set to lose MS support soon.
That would not be correct.
2012 R2 is ending Mainstream support in October. But Extended Support goes until 2023.
-
Yeah, 2012 R2 is not "old", it's just not "new". Not old enough to normally worry about replacing. But definitely old enough to question why it would be deployed new without a really good reason.
-
@scottalanmiller said in Windows file server query:
Yeah, 2012 R2 is not "old", it's just not "new". Not old enough to normally worry about replacing. But definitely old enough to question why it would be deployed new without a really good reason.
I mean, I would never install it now, 2016 certainly. Unless no CALS or something in an existing environment.
But facts are facts and 2012 R2 is not even close to dead.
-
@jaredbusch said in Windows file server query:
@tim_g said in Windows file server query:
@vhinzsanchez said in Windows file server query:
I will need to upgrade it to 2012 R2 or 2016 (our Director is against going directly to 2016 as it may have bugs….I am for using the latest and greatest but then again, its her call—anyways, server 2018 is just around the corner )
This is extremely foolish to not go to Server 2016, especially while 2012 R2 is set to lose MS support soon.
That would not be correct.
2012 R2 is ending Mainstream support in October. But Extended Support goes until 2023.
Right, but why would you want to run an OS that gets zero updates, fixes, and features... only security updates... while continuing to fall further behind, for no real reason. A jump from 2012 to 2023? No thanks!
-
@tim_g said in Windows file server query:
@jaredbusch said in Windows file server query:
@tim_g said in Windows file server query:
@vhinzsanchez said in Windows file server query:
I will need to upgrade it to 2012 R2 or 2016 (our Director is against going directly to 2016 as it may have bugs….I am for using the latest and greatest but then again, its her call—anyways, server 2018 is just around the corner )
This is extremely foolish to not go to Server 2016, especially while 2012 R2 is set to lose MS support soon.
That would not be correct.
2012 R2 is ending Mainstream support in October. But Extended Support goes until 2023.
Right, but why would you want to run an OS that gets zero updates, fixes, and features... only security updates... while continuing to fall further behind, for no real reason. A jump from 2012 to 2023? No thanks!
There are certainly plenty of real reasons. Notably licensing is expensive, so expenses like that are scheduled and planned.
-
@jaredbusch said in Windows file server query:
@tim_g said in Windows file server query:
@jaredbusch said in Windows file server query:
@tim_g said in Windows file server query:
@vhinzsanchez said in Windows file server query:
I will need to upgrade it to 2012 R2 or 2016 (our Director is against going directly to 2016 as it may have bugs….I am for using the latest and greatest but then again, its her call—anyways, server 2018 is just around the corner )
This is extremely foolish to not go to Server 2016, especially while 2012 R2 is set to lose MS support soon.
That would not be correct.
2012 R2 is ending Mainstream support in October. But Extended Support goes until 2023.
Right, but why would you want to run an OS that gets zero updates, fixes, and features... only security updates... while continuing to fall further behind, for no real reason. A jump from 2012 to 2023? No thanks!
There are certainly plenty of real reasons. Notably licensing is expensive, so expenses like that are scheduled and planned.
This isn't the case at all. He's upgrading anyways. Going to 2012 will cost the same as 2016 in his case (from what I can tell). He did not give any real reasons to not go to 2016 other than the misconception of it being more buggy than 2012.
-
@tim_g said in Windows file server query:
@jaredbusch said in Windows file server query:
@tim_g said in Windows file server query:
@jaredbusch said in Windows file server query:
@tim_g said in Windows file server query:
@vhinzsanchez said in Windows file server query:
I will need to upgrade it to 2012 R2 or 2016 (our Director is against going directly to 2016 as it may have bugs….I am for using the latest and greatest but then again, its her call—anyways, server 2018 is just around the corner )
This is extremely foolish to not go to Server 2016, especially while 2012 R2 is set to lose MS support soon.
That would not be correct.
2012 R2 is ending Mainstream support in October. But Extended Support goes until 2023.
Right, but why would you want to run an OS that gets zero updates, fixes, and features... only security updates... while continuing to fall further behind, for no real reason. A jump from 2012 to 2023? No thanks!
There are certainly plenty of real reasons. Notably licensing is expensive, so expenses like that are scheduled and planned.
This isn't the case at all. He's upgrading anyways. Going to 2012 will cost the same as 2016 in his case (from what I can tell). He did not give any real reasons to not go to 2016 other than the misconception of it being more buggy than 2012.
Of course that is not the case for the OP. No one ever said it was.
But your statement was all encompassing. Oh, and false.
-
@jaredbusch said in Windows file server query:
@tim_g said in Windows file server query:
@jaredbusch said in Windows file server query:
@tim_g said in Windows file server query:
@jaredbusch said in Windows file server query:
@tim_g said in Windows file server query:
@vhinzsanchez said in Windows file server query:
I will need to upgrade it to 2012 R2 or 2016 (our Director is against going directly to 2016 as it may have bugs….I am for using the latest and greatest but then again, its her call—anyways, server 2018 is just around the corner )
This is extremely foolish to not go to Server 2016, especially while 2012 R2 is set to lose MS support soon.
That would not be correct.
2012 R2 is ending Mainstream support in October. But Extended Support goes until 2023.
Right, but why would you want to run an OS that gets zero updates, fixes, and features... only security updates... while continuing to fall further behind, for no real reason. A jump from 2012 to 2023? No thanks!
There are certainly plenty of real reasons. Notably licensing is expensive, so expenses like that are scheduled and planned.
This isn't the case at all. He's upgrading anyways. Going to 2012 will cost the same as 2016 in his case (from what I can tell). He did not give any real reasons to not go to 2016 other than the misconception of it being more buggy than 2012.
Of course that is not the case for the OP. No one ever said it was.
But your statement was all encompassing. Oh, and false.
No, it was originally a direct response to the OP, in the context of the OP, considering only what was in the OP. Had it contained circumstances that would justify the use of 2012, I would suggest as such. But it didn't, so no reason that I could find in the OP to use 2012.
-
Of course there are reasons to use 2012... but I haven't seen the OP mention any in his case.
-
@jimmy9008 said in Windows file server query:
@vhinzsanchez
Yeah, that makes sense. Still doesnt mean the director needs to see how the ACLs are done (user/group) himself.
For example, i'd ask you to give, say, Karen, access to a share. You would go an do it. I'd not care how you do it. Thats your job to figure out.
I could ask you to report and audit for me who has access to what shares, and you would report it. I'd not need to login and check for myself... the Director has trust issues, otherwise you would do it how you see fit and report the permissions when asked.Have been called more than once when I implemented it. He would like to see who is the member of those group.
I've not changed the groupings so I can retain it in the shares tab (since he can not see the tab), but on the permissions tab, I need to individually key in the users.
-
@scottalanmiller said in Windows file server query:
Wait, what? You can't use VMware with IBM. That's literally impossible.
VMware is AMD64 only, IBM only makes Power.When I said newer, it was the later ones deployed but still old in some standards. About 2011 (the beefier one) and 2013 (the one with the 4GB RAM) consecutively. I was looking into provisioning a hyper-v for it for lower task servers which we do not have right now...those we can do without--more of IT stuff monitoring--and perhaps an additional DC.
-
@tim_g said in Windows file server query:
This doesn't make sense.
If someone wants to see who has access to a given share, then you show open up the group that has access, which shows all the members.
When you start granularly adding users to this folder that file here and there, there's no way at all to manage or audit that. You'd have to manually go through each and every folder and file properties to see who has permissions. That's got to be horrible!
For example, if you have a folder named \server\Accounting\invoices:
You:Create two groups in Active Directory:
ACL_Accounting Invoices_READ
ACL_Accounting Invoices_WRITEAssign ONLY those two groups with appropriate permissions to that "invoices" folder (in addition to the default permissions, admins group for example).
Then if your boss says, "hai who is permissions of invoices folder mang?"
Then you simply show the members of the above two groups. If someone new needs permissions, or needs permissions revoked, you simple add/remove them from one of those two groups.Got that. I also wanted to implement it badly as changing NTFS permission means I have to wait for the propagation to finish which could take a while depending on the folder size. If part of a group, no waiting.
They, the directors, usually work late out at night, some weekends and holidays. At times, usually the one which I have stated (brother of my direct boss), checks who has access to which folder.
I have gone into saying I can install a program which he can list all users and members of each group but he stopped me saying it takes extra steps for a simple task of checking who has access to that folder.
-
@tim_g said in Windows file server query:
No, it was originally a direct response to the OP, in the context of the OP, considering only what was in the OP. Had it contained circumstances that would justify the use of 2012, I would suggest as such. But it didn't, so no reason that I could find in the OP to use 2012.
Guys, from the context of my boss, it seems that she implies that 2016 is buggy and we would want to wait before upgrading. But it has been 2018 and has been patched several times and server 2019 is coming, so I think bringing in 2016 wouldn't be that hard the last time I tried.
-
@vhinzsanchez said in Windows file server query:
@scottalanmiller said in Windows file server query:
Wait, what? You can't use VMware with IBM. That's literally impossible.
VMware is AMD64 only, IBM only makes Power.When I said newer, it was the later ones deployed but still old in some standards. About 2011 (the beefier one) and 2013 (the one with the 4GB RAM) consecutively. I was looking into provisioning a hyper-v for it for lower task servers which we do not have right now...those we can do without--more of IT stuff monitoring--and perhaps an additional DC.
Oh okay, newer than really old, but quite old still. IBM has been all Power for some time now.
-
@vhinzsanchez said in Windows file server query:
@tim_g said in Windows file server query:
This doesn't make sense.
If someone wants to see who has access to a given share, then you show open up the group that has access, which shows all the members.
When you start granularly adding users to this folder that file here and there, there's no way at all to manage or audit that. You'd have to manually go through each and every folder and file properties to see who has permissions. That's got to be horrible!
For example, if you have a folder named \server\Accounting\invoices:
You:Create two groups in Active Directory:
ACL_Accounting Invoices_READ
ACL_Accounting Invoices_WRITEAssign ONLY those two groups with appropriate permissions to that "invoices" folder (in addition to the default permissions, admins group for example).
Then if your boss says, "hai who is permissions of invoices folder mang?"
Then you simply show the members of the above two groups. If someone new needs permissions, or needs permissions revoked, you simple add/remove them from one of those two groups.Got that. I also wanted to implement it badly as changing NTFS permission means I have to wait for the propagation to finish which could take a while depending on the folder size. If part of a group, no waiting.
They, the directors, usually work late out at night, some weekends and holidays. At times, usually the one which I have stated (brother of my direct boss), checks who has access to which folder.
I have gone into saying I can install a program which he can list all users and members of each group but he stopped me saying it takes extra steps for a simple task of checking who has access to that folder.
Seems that something like Netwrix must have something simpler to use. But I can see that if he is used to just using the Windows tools that learning something else seems silly. If all he's doing is auditing stuff, while odd, it seems fine.
-
@scottalanmiller said in Windows file server query:
Seems that something like Netwrix must have something simpler to use. But I can see that if he is used to just using the Windows tools that learning something else seems silly. If all he's doing is auditing stuff, while odd, it seems fine.
Not that odd, not normal for a boss to be seeing those small things but he is the one who is very particular to security of our files...I've learned to understand them and adjust.