I have to enforce NTFS permissions based on business roles. Each role (group in ADS) can be granted the permission to read or write a file server directory. I do not care about share permissions. I care about permissions stored in the NTFS. I have to ensure that the NTFS permissions are compliant to the policy. An entry in the policy could be for example:
- Users in the Support group have read access to the 'corporate-template' folder and write access to the 'support' folder.
- Users in the Controlling group have read access to all but the 'management' folders and write access to the 'controlling' folder.
The compliance check should be done automatically. If the compliance check finds any violations of the policy the permissions must be corrected automatically. How can this be done?
As far as I can see Windows does not provide such a functionality. I found some products, which can report NTFS permissions. But I can not find a solution for an automatic reconciliation. What is the preferred way to do such a reconciliation in a Windows domain?