Promigra Server Migrator

Imagine a company that has decided to setup a file server. After the file server is installed and a share is set up, the users create several folders, where they place their files.

With time the users notice that file sharing is easier when the files are stored on the file server, rather than stored locally on their individual computers. In addition, the IT department runs a backup every night. The number of files and folders constantly increases; therefore, it now takes a great deal of effort to find the correct folder.

Additionally, users quickly find out that it is useful to prefix their folders with numbers. This way the folder appears right on top of the list. Shortly, the folder structure looks similar to the one below:

They quickly find out that other characters are even more effective. The folder list becomes like this:

Soon the filer server content becomes a muddled set of folders, with several folders serving the same purpose. It gets harder and harder to find the folder one needs.

How to prevent this problem

The solution to muddled file server content is quite simple. Do not permit users to create first level folders by themselves. They should always ask when they need a folder on that level.

In some environments it might be even better to fix the first level folder structure. Get together all the key users and have them decide on the folders that should be on the first level. After that, new folders could be added to the first level only exceptionally. Users must decide which first level is the most suitable for their data and then create a new folder beneath. All new folders must be created on the second level or lower.

What if you already have a file server in need of folder restructure?

Eventually you will have to grasp the nettle. Remember, many users will resist any change. For that reason it is essential to have top management support.

Make it easy for users to give you information on which folders they use and how they should be restructured. For smaller file servers you can create a template in Word or Excel and ask them to fill in the information. For each folder on the new server they should send you the name of the folder, where should it be placed and which folders from the old server must be migrated to the new folder. Combine the information that users send to you in a spreadsheet and periodically send it back to them. If they notice that some of their folders are not marked for processing they should send you that information.

With some effort you can transform that spreadsheet to a script that can be used to copy the old file server to a new one.

For larger file servers you might need to consider a tool designed for folder restructuring.

Windows File Server gives you many possibilities to configure permissions. You can have one set of permissions on a parent folder and another set on sub-folder(s). You can configure some sub-folders to inherit permission from the parent and the other sub-folders to have completely different permissions. You can gather users to local groups or domain groups and then grant permissions to those groups. You can also grant permissions on folders to individual users. You can use any combination of local groups, domain groups and individual users to define permissions.
With so many options available, what is the best way to manage security on file servers?

I’ve collected some best practices I would like to share with you.

Use domain security groups to manage folder permissions.

For each folder create two domain security groups. One group for users with read only permissions and another group for users with read and write permissions. Use only those two groups to manage folder permissions. When a user needs write permissions put him or her to the group that has write permissions. If he or she needs only read permissions, then put him or her to the group with read only permissions. Users that are not members of any of those two groups do not have access to that folder. A nice benefit of this best practice is that administrators can manage permissions without touching file servers. They just add or remove users from security groups in the Active Directory.

Always use the same pattern for group names. One possible pattern is “ServerName-ShareName-FolderName-GroupType”.
An example of a group name would be “UserFiles-Common-TopQualityDeviations-RW”.

“ServerName” is the name of the server where the folder is located.
“ShareName” is the name of the share on the file server.
“FolderName” is the name of the folder, where you replace spaces with underscores or use Pascal Case.
“GroupType” describes the permissions that user in that group will have on that folder. Use letter R for read only permissions and RW (or only W) for read and write permissions.
If you decide to use only one share for all the files you can omit the share name part.

Define permissions only on one folder level.

Often users want some colleagues to have read access on a parent folder. For some sub-folders they would like to give some of those users write permissions. For some sub-folders they want only two or tree people to have access and ban everybody else.
Don’t fall into that trap. It takes only a small amount of inattention when you change permissions on a parent folder and permissions on sub-folders will be reset. Some sensitive information could be disclosed and you will be in trouble.
Define permissions only on one folder level. All the files and folders beneath that folder inherit those permissions. When users demand different permissions for a sub-folder move that folder one level up and define unique permissions for that folder and all its sub-folders.

Define the “owner” of each folder

Each folder should have an owner. The owner is a person that is responsible for the contents of the folder. This is also a person that has to approve all security changes for that folder. When some users ask for access to a folder, administrators should ask the owner to approve the change before they make it. It would be even better if you have the user ask the owner to request the change.
Put the owner information to the comments field in the Active Directory security group. This way you don’t have to maintain a separate list of folders and owners. Administrators have the information readily available when they open a group properties window.