Controlling access to your company’s folders

If your company’s computers are part of a domain you enjoy many benefits that your workgroup counterparts do not. One of these benefits is the ability to restrict data stored on the server. Before we talk about that, however, it might be helpful to know if you are part of a domain or a workgroup.

What is a domain?

Windows domains provide network administrators with a way to manage a large number of PCs and control them from one place. One or more servers — known as domain controllers — have control over the domain and the computers on it.

When a computer is joined to a domain, it doesn’t use its own local user accounts. User accounts and passwords are managed on the domain controller. When you log into a computer on that domain, the computer authenticates your user account name and password with the domain controller. This means you can log in with the same username and password on any computer joined to the domain.

Network administrators can change group policy settings on the domain controller. Each computer on the domain will get these settings from the domain controller and they’ll override any local settings users specify on their PCs. All the settings are controlled from a single place. This also “locks down” the computers. You probably won’t be allowed to change many system settings on a computer joined to a domain.

Is my computer part of a domain?

If you have a home computer, it’s almost certainly not part of a domain. You could set up a domain controller at home, but there’s no reason to do this unless you really want the experience. If you use a computer at work or school, there’s a good chance your computer is part of a domain. If you have a laptop provided to you by your work or school, it may also be part of a domain.

You can quickly check whether your computer is part of a domain or not. Open the Control Panel, click the System and Security category, and click System. Look under “Computer name, domain and workgroup settings” here. If you see Domain: followed by the name of a domain, your computer is joined to a domain.

If you see Workgroup: followed by the name of a workgroup, your computer is joined to a workgroup instead of a domain. Note: in the picture below the name of the workgroup is Workgroup. Your workgroup might be named something else.

Read more about domains

Managing folder access in a domain

Domains are most prevalent in a business setting where multiple users must have access to the same files. In a domain, the domain administrator can control access to those files by placing them in folders and then restricting folder access to specified users. For example, you may want only HR people to have access to the Company Salaries folder or you may want to restrict the Company Financials folder to the company executives. If your company does research and development and there’s probably no reason for the sales staff to have access to lab results or for the maintenance department to see next year’s projected sales. In a domain, folder access can be controlled by placing users in security groups.

What is a security group

A security group is very much like a club. Each group has a name and a list of members. The name can be anything but usually reflects the purpose of the group. For example, you might have a group named Sales Team and its members would be members of the sales staff. The membership list is made up of usernames – like the one you use to log into your computer every day. Once a group has been created it can then be given folder permissions.

If you have a folder on the server named Sales, you could edit the security properties for the folder giving the Sales Team group permissions to view and open files and to edit and save files in that folder. Only those groups or user accounts listed in the permissions list can work with the Sales folder and each group or user account will be limited to the specific permissions you assign.

Why use groups at all

If we can just assign permissions to individual users, why do we need groups? The answer has to do with keeping things organized and manageable. If you don’t use groups and instead assign individual user permissions things can quickly become unwieldly. For example, if the sales staff has 10 members and all 10 members have access to 10 folders, that’s 100 items you have to manage. If someone leaves the sales staff or if someone else is hired, then you must add or remove those users from all 10 folders.

On the other hand, if those 10 sales members belong to a single group, you only have to establish permissions for that 1 group on each of the 10 folders. Instead of trying to keep 10 folders with 10 accounts organized, you only have to work with 10 folders and 1 group. If someone leaves the sales staff, you just remove him from the group and, just like that, he is also removed from the 10 folders.

Different strokes for different folks

We aren’t limited to adding a single group to a folder’s permissions list. You can add multiple groups and give each group a different set of permissions. For example some groups may only be able to view the files in a folder but not open them. Maybe you want one group to be able to open the files but not modify them (save changes). If you set things up this way, it’s very easy to give a user less restrictive access by moving him to a less restrictive group. After you’ve given your groups permissions to a folder you shouldn’t have to revisit the permissions setup again. When you manage group memberships the folder permissions take care of themselves.

Pay no attention to that man behind the curtain

Every Windows domain has a built in Administrators group. By default, this group has full control over all folders. In many cases that group has only one member: administrator. We think it’s a good strategy to allow administrator access to all folders, even the highly sensitive ones. After all, when something breaks someone has to fix it and the network admin is always the first one called. Allowing the administrator access to everything just makes it all easier to, well, administer.

We can help

TekResults would love to help you make your business more security efficient. Give is a call to schedule a no-obligation visit and we’ll show you how to get started.