This may sound like a ridiculous question however, I am on this project and the file shares and SG placements just seem out of the norm to me.
First off, they've created a "High Level" security group which can access all the folders within the share then, added security groups designed to only access certain folders within this share to the High Level security group, and proceeded to modify permissions on each folder within that share to restrict user access. When these users assigned to the security groups other than the High Level SG login, they are presented with all the folders found within the share. Example:
\\someserver\D\shares$
Within Shares we have Folders A, B, C, D, E to which SG1 has only access to A, B, C and SG2 access to D, E and of course SG1 (which I am calling the High Level SG) has access to all the shares. Doing so, the "techs" behind this design, removed Administrator as owner to all the shared folder causing anyone with Admin level rights being forced to take ownership before they can work with inside the shared folders.
So when a user from SG1 logs in, the network drives map automatically via script (Let's call this S Drive") all the users see all the folders within the Share and claim by adjusting the NT file permissions on each individual folder is "locking down" the share allowing access to the specified folders the end user is to have rights to.
This seems quite a bit drastic to me since, now the end users can see all the shares.
Now all users login script for the "S Drive" point to \\someserver\D\shares$.
Wouldn't the safer way to do this is simply apply SG1, and SG2 to the associated folders within the share the user needs access to so that, when the user of a given SG logs in they only see either Folders A, B, C for SG1 or Folders D, E for SG2 but not all folders belonging to SG's they shouldn't have access to. Isn't this correct?
Meanwhile, Admins logging into the File Server/or Mapped Drive, remember the last scenario does not include removing "Administrator" from the folders within the share would have access to A, B, C, D, E without having to take individual ownership of each folder to provide access for assistance as an example..
What this group is saying without applying their High Level procedure as explained in the beginning of this question each end user would have to be mapped to separate drives to access each of the shares they have permissions to...
I hope this makes sense as, it really doesn't to me, I have always applied security groups to a share to the folders they needed access to and that's it and when the end user logged in and the share gets mapped (S drive for this example) not only do they have visibility and access of folders their SG is assigned to but, the others will not be visible hence, locking down the share. I mean why show someone something they aren't supposed to have access to in the first place... has something changed?
