Overview
We have been working on getting our numerous sites to map share drives for each user that needs access to their sites. We have no way of standardizing this from within their AD profile as some users move around a lot and end up not telling IT until they need access to a particular site share drive. In turn we have created security groups for each site and will be using this as an item-level target within a Group Policy at the root of our AD structure for the sites, hoping it will trickle down and give only those in the security groups the drives they need.
System Information
Operating System: Windows Server 2016
The following relates to four machines across two DCs
Domain Controllers (GPO, Active Directory)
Operating System: NetApp which will be replaced in the near future with Nutanix Files.
Share Drives for each of our sites under the root and no sub-share's as the users will be populating these shared folders with whatever files they use/create
Structure
We map a drive to our users that connects to our NetApp appliance.
The NetApp appliance has subfolders based on each site name, which in turn have whatever the users put in these folders. The structure looks similar to the following:
NetApp Shares
├── Site 1
├── Site 2
├── Site 3
├── Site 4
├── Site 5
We have multiple Security Groups, such as the following:
Site1-ShareDrive
Site2-ShareDrive
Site3-ShareDrive
Site4-ShareDrive
Site5-ShareDrive
Within said security groups we have users who might not natively be in that Site's OU, as some manage multiple sites, or move around often and need multiple sites within their division.
Example:
Site1-ShareDrive
├── User13
├── User20
├── User33
├── User42
├── User51
Site4-ShareDrive
├── User13
├── User22
├── User23
├── User1
├── User5
├── User3
├── User100
Site9-ShareDrive
├── User13
├── User22
├── User23
├── User1
├── User53
├── User54
├── User545
AD Structure:
All Sites
├── Division-1
| ├── Site 1
| ├── Site 2
├── Division-2
| ├── Site 3
| ├── Site 4
| ├── Site 5
├── Division-3
| ├── Site 6
| ├── Site 7
| ├── Site 8
├── Division-4
| ├── Site 9
| ├── Site 10
For Group Policy we would like to place the policies at the "All Site" level to theoretically trickle down to the entire structure, but only have them applied based on if the users are in the security group being targeted
Issue
Within Group Policy we are creating new policies for each site that have an item-level target to that specific site's security group
For example:
User1 belongs to the following groups:
Managers
Site1-ShareDrive
Site9-ShareDrive
User 13 belongs to the following groups:
Partner
Site1-ShareDrive
Site4-ShareDrive
Site9-ShareDrive
Logically, the following should be our setup:
User1
should only have access to \\example.com\Shares\Site1 and \site9
User13
should only have access to \\example.com\Shares\Site1, \site4 and \site9
Unfortunately, this problem exists on a much larger scale when you add in the fact that some users who might be managers only need one site, where as other managers might need more sites and partners access to their division they are in charge of. The other issue we are running into is some sites are a cooperation between divisions, which is why some users outside their division OU need access to another division sites share drives. Aside from adding them to these security groups going down to the file level for NTFS permissions at this time will be a nightmare, as we are using an old NetApp appliance that actually is being EOL soon by our vendor. We have no timeline on when we will be migrating to a new platform yet.
Additionally
We would prefer to hide any folders that users don't have access to. In the example above, for example, User1 would not even know about the existence of \example.com\Shares\Site8 since the user doesn't belong to the respective security groups
We would like to be able to apply some security groups according to the site the user needs. Along with placing an item-level target on that security group. Our current OU structure resembles the following:
Example OU structure
All Sites
Site 1
User13
Site 4
User1
Site 9
User545
Questions
- How can we ensure that our structure works with Item-Level Targeting? (i.e. GP: 'Site1-ShareDrive Access' would have "\example.com\shares\Site1" drive being mapped via "Update" and "Reconnect" Checked, along with "Run in user security context" and "Item-Level Target" set to "Site1-ShareDrive", with it linked to "All Sites")?
- If some of the above are not possible, how can we ensure ease-of-use for our users, while increasing IT productivity?