I’ve just recently started a new job in a company with an existing 2K3 AD setup. The company started small, and has grown rapidly.
During the earlier stages, security and ACLs were fairly relaxed, with the default fairly “wide-open” browse access to drives, folders etc. for Domain Users left as is, as users were all company employees – only select folders (e.g. HR department, senior admin etc.) have inheritance deliberately broken, and effectively “deny” rights imposed.
We’re now into a situation where some outside consultants need periodic access to files (not apps) on our network. The intent is to allow them in via AD (they already have accounts [and separate groups] for when they work onsite), but to limit what they can actually see/browse, to one key share out of many located across 20 servers – in other words, deny ‘em everything except access to “Common”.
The thought of having to march across the LAN & WAN every time there’s a change like this makes me shudder. I’m thinking this has to be a great job for a script, but don’t know where to start.
Can you help point me in the right direction?