I have not built AD from scratch for a company, I've always landed on someone else's work and when File and Active Directory structure has not been maintained it can be very frustrating. So what can we as IT do to reverse the madness of this lack of executing best practices? Well, it's too expensive for a company to do an overhaul and start over. So the only option we are left with is to chip away every day little by little.
You might ask; What is best practice for File and Folder share structure? There are many places to find best practice and Microsoft is a good place to start. Alternatively you can read my blog that I will update periodically, I will weed out all the mumbo jumbo that Microsoft adds to their steps.
1st and foremost is to gather information and create a schematic following these basic rules.
- Gather security permission assignments. You can pull reports using places like Spiceworks, I use it and there is a lot of support on the forums to help find the best method for inventorying security.
- Draw up a hierarchy like structure for folder shares on a server. It is best to have one folder that is shared with all rather than having many folders shared with all. Using access based enumeration is there for a reason. Not everything needs to be viewed by all. So this will only allow permission based users to view their relevant shared folder. Example of Access-Based Enumeration.
- Test the Structure. The structure should be set up mirroring your security principles e.g. Accounting folder with security for only security personnel. This can open up another can of worms. Active Directory security groups. Best practice is to have users assigned to security groups and security groups assigned to security permissions within a share. Having users assigned to permissions of a folder are okay; However, over time more and more users might be added to that folder's permissions and can be very messy to manage. That is why it's important to start by drawing up a schematic that will reflect Active Directory structure. That way in the future if you wanted to have a new user be assigned permissions to a shared folder you will only need to add them to the security group inside AD. No need to track down the folder and add them.
File and Folder share editing is a big Monster and will take time to organize and clean up. That is why it's important to first make a plan on paper, create a testing environment, and finally moving forward with the plan.