If you follow MS's AGLP (AGDLP for AD) rules you can limit this somewhat.
Assign users to Global Groups, add Global Groups to Local (DOMAIN Local in
AD) and only assign permissions to the local groups.  You create the
appropriate local groups (eg read access, write etc) and only assign
permissions once to these groups.  Any user changes are done through removal
of uses from the Global groups or GG from local groups which doesn't trigger
any ACL changes on the files so no extra backups are done.  As far as
initial security lockdown, this should be done at server setup.

Tim Rushforth
City of Winnipeg

-----Original Message-----
From: Jim Kirkman [mailto:jmk AT EMAIL.UNC DOT EDU]
Sent: March 7, 2003 8:31 AM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: Windows ACL changes

So,

In these security conscious times, some Windows admins are embarking on
a mission to 'tighten up' things by removing the Everyone group and
doing various other rights changes on a number of servers. I guess the
backed up files need to reflect the proper rights, but I'm not really
thrilled with the additional backup load. Any ways around that?

thanks,

--
Jim Kirkman
AIS - Systems
UNC-Chapel Hill
966-5884