File Server Consolidator

Windows File Server gives you many possibilities to configure permissions. You can have one set of permissions on a parent folder and another set on sub-folder(s). You can configure some sub-folders to inherit permission from the parent and the other sub-folders to have completely different permissions. You can gather users to local groups or domain groups and then grant permissions to those groups. You can also grant permissions on folders to individual users. You can use any combination of local groups, domain groups and individual users to define permissions.
With so many options available, what is the best way to manage security on file servers?

I’ve collected some best practices I would like to share with you.

Use domain security groups to manage folder permissions.

For each folder create two domain security groups. One group for users with read only permissions and another group for users with read and write permissions. Use only those two groups to manage folder permissions. When a user needs write permissions put him or her to the group that has write permissions. If he or she needs only read permissions, then put him or her to the group with read only permissions. Users that are not members of any of those two groups do not have access to that folder. A nice benefit of this best practice is that administrators can manage permissions without touching file servers. They just add or remove users from security groups in the Active Directory.

Always use the same pattern for group names. One possible pattern is “ServerName-ShareName-FolderName-GroupType”.
An example of a group name would be “UserFiles-Common-TopQualityDeviations-RW”.

“ServerName” is the name of the server where the folder is located.
“ShareName” is the name of the share on the file server.
“FolderName” is the name of the folder, where you replace spaces with underscores or use Pascal Case.
“GroupType” describes the permissions that user in that group will have on that folder. Use letter R for read only permissions and RW (or only W) for read and write permissions.
If you decide to use only one share for all the files you can omit the share name part.

Define permissions only on one folder level.

Often users want some colleagues to have read access on a parent folder. For some sub-folders they would like to give some of those users write permissions. For some sub-folders they want only two or tree people to have access and ban everybody else.
Don’t fall into that trap. It takes only a small amount of inattention when you change permissions on a parent folder and permissions on sub-folders will be reset. Some sensitive information could be disclosed and you will be in trouble.
Define permissions only on one folder level. All the files and folders beneath that folder inherit those permissions. When users demand different permissions for a sub-folder move that folder one level up and define unique permissions for that folder and all its sub-folders.

Define the “owner” of each folder

Each folder should have an owner. The owner is a person that is responsible for the contents of the folder. This is also a person that has to approve all security changes for that folder. When some users ask for access to a folder, administrators should ask the owner to approve the change before they make it. It would be even better if you have the user ask the owner to request the change.
Put the owner information to the comments field in the Active Directory security group. This way you don’t have to maintain a separate list of folders and owners. Administrators have the information readily available when they open a group properties window.