Bookmark with:

              

Have you ever taken the time to analyze the current shared-folder environment in your network? If you have, the chances are good that you were quickly dumbfounded by how unclear and complex your share and permissions structure has become. Time has a way of confounding even the best laid plans of systems administrators and men and network shares are a notoriously difficult can of worms to keep simple. There are some ways to get around this, however. Provided, of course, you are prepared to roll up your sleeves and redo your shared-folders from the ground level up.

 Keep it simple and keep it flat. Huh? What does he meant with that? I’ll tell you what I mean with that.

First of all, it is important that you will be willing to work with a standard group of basic, “first-level” permissions which will be applied on all shared folders throughout your network. It is understood that System and Administrators will have full control. But having said this, a global Deny Group should also be assigned to every share, as well. Should a user ever need to be denied permissions immediately, for instance, entering this person to such a group is much faster than identifying and removing this user from all the other groups he or she may belong to. The “flow down” of permissions can also take considerable time in this second scenario.

You’ve heard of the KISS principle, right? Keep it simple stupid, oops, I mean sweetheart. Well, that principle certainly applies to network shares. A simple permissions structure is, quite simply, simpler to manage than a complex one. Why start out using 30 security groups to assign permissions to a share when you can use 3 instead? Sure, these 30 groups might already exist as organizational bodies elsewhere and therefore be tempting to grab-as-is, but will you really be saving yourself any work by doing so? Hardly. The time involved in setting up three dedicated groups for the share in question (read, write and deny, for instance) – security groups above and beyond the three “first-level” groups I mentioned before - will end up saving you time in the end as the continually changing and often unrealistic wishes of management in matters of share permissions for their employees make this much simpler structure much easier to use.

Next tip: Always use security groups instead of individual user accounts when assigning permissions. Once you begin assigning permissions to individuals instead of security groups it won’t be long and then nobody will be able to see through the mess – yourself included. When other users need similar permissions, you may have to start that messing process cloning their permissions and confusing matters for later all the more. Practice has shown time and time again that this is where administrator overhead really starts getting expensive (taking time), and not even the best-intended and well-kept documentation will be able to help you out here.

The KISS principle should also be applied to the security group naming process itself. Why call your new group ResMngtEmplShare07 when you can call it RM-Employees instead? Also: Think to define your permissions in a way that reflect that department or group. Employees from a particular department will generally need access a wide range of department resources spread out across various machines. This is where so-called permissions sets can come in handy. These are job-based permissions, a set of security groups that allow a particular user all the permissions pertinent to that given group. The Sales permissions set will be different than the Marketing permissions set, for instance. To insure that an employee who has moved from Sales to Marketing has the proper permissions, he only needs to be added to the Marketing permissions set and removed from the Sales permissions set.

And here’s another thing that will make your life as an administrator a whole lot easier: Go horizontal. That’s right. Avoid setting up these endlessly deep vertical share structures. Your folders will be easiest to manage if you create just one Read-only root-level folder and then half a dozen logical folders (tops!) for the users below. And even here, with time, users tend to get out of control and deepen their own folder structures to a point that they will eventually exceed the Windows 255-character path limit. And then it’s possibly restructure time all over again. So don’t just keep it simple, keep it flat, too.

And one last word of caution: Don’t use the Everyone Group in your share permissions structure at all. Been there done that. In my view, the Everyone Group’s only purpose is to create a big security problem in your network. If you absolutely, positively have to use a general user access group and not one of your own, use the Authenticated Users group instead.