New File Server Setup

Posted on 2006-05-24
Last Modified: 2010-04-18
I run a network of about 100 users.  Currently there are files scattered across a couple Application servers and two Snap Servers.  I just ordered a new Dell Poweredge 2850 with a little over half a terabyte of storage to consolidate everything onto one single file server.  I'm wondering if anyone has suggestions on the cleanest, most efficient way to set it up is....It will run Windows 2003 Server, and be 100% dedicated to file storage, and that's it. It will store Home Directories, scientific data files, .pst files for each user, and a Public directory.  I will be building it up from scratch and organixing the directory structire myself.  Another big concern, is that I want to make it as easy as possible for users to find what they need without having to call me up and ask "how to map" or "where is this and that"....So would I just make, say 4 seperate shares, called maybe "Science", "HomeDirs", "Public", and "Accounting"?  And then assign appropriate share permissions  and NTFS permissions on each one of those?  Or would it be better/eaiser to create a single share point, allow "Read" Share access to everyone, and then within that share, assign permissions that filter down???   Any and all suggestions and advice are much appreciated.
Question by:tenover
    LVL 33

    Expert Comment

    I like the four shares idea...  probably not a good idea to allow everyone READ access to all the data.  But really, this is your internal decision on what makes sence for your environment.  After all, you are the only one that knows how technical your users are and what they would need to do to access data.  I would focus a little time on training the end user and how to access the data.

    Author Comment

    I agree.  Thanks.  Just looking for suggestion that maybe I haven't thought about, or possible snags with my idea.
    LVL 33

    Expert Comment

    The only snag I can think of is when you move the data, you will have to make sure that you copy the NTFS security (or setup new security).  ROBOCOPY or XCOPY can be used to copy data and security (if all security is domain based).

    Other then this, the only other snag I can see is that sometimes, users will add URL links in word or Excel documents to open another document.  These links will break when you restructure the data in the way you plan.  I have seen this in some places, but it usually isn't too big of a problem...  because this linking isn't very popular


    Author Comment

    Ugghhh....I didn't think about the linking issue.  In regards to the permissions, I'd rather just restructure it from scratch and make sure it's done correctly.
    LVL 9

    Accepted Solution

    I personnally love the flexibility which NTFS File permissions give you.

    I personnally set up on all my FnP servers it as the following:

    Shared Data>
    and within I would have the following shares
    Home Dirs

    Shared permissions on all 4 directories would simply be
    Authenticated Users > Full control

    Then on the top directory ie Shared data, on the SECURITY TAB, this is where it comes down to personnal pref, I would remove everything, then add in:

    Domain Admins > Full Control

    Authenticated Users >
    Entirely upto you what you add in here, however I tend to set it up so that they CANNOT delete Folders and Files or create folders and files, etc,
    Well you need to keep control of the top level yourself, but allow the users to see what shares they have permission to access ( I will go into this later)

    Then on the Lower level folders ie Science-HomeDirs-Public.

    On Science>>
    I would create a Security Group called
    ScienceManagement (for arguments sake)
    & 1 called
    Science Users ( for arguments sake)

    The Science Management Group
    would be for users who you feel can be left to keep control of the science directory
    ie allow them to Create/Delete Files and Folders amend etc etc
    This way the directory do's not end up with countless folders being created by everyone and his dog and gets totally out of control. The users in this group can manage its internal structure.

    The Science Users, Group
    Would be for standard users and I would allow them the same as the Science management Group,
    I would not allow them to create folders rename folders or delete folders.
    They can create and delete files and amend them etc.
    This way your directories are kept in a structured order.

    So the groups would be on the security tab of the science folder>
    Domain Admins> Full control
    Science Management> All but Full control

    Science Users>
    You need to click the advanced button down the bottom right, double click this group in here and make sure that in the top drop down "This Folder and sub folders" is selected
    and make sure they DO NOT have:
    full control
    Create Folders/append data
    delete folders and sub folders
    nor the single delete option,
    plus dont allow them to take control or change permissions

    Ok This
    as this section is now completed

    Then click add
    still within the advanced section & add a second version of Science users,
    In the drop down after double clicking this group once you have added them in,
    "Files Only" from the drop drop down where last time you selected Folders and Sub folders, as you will now have two versions of science users now within the advanced section,
    This is now to set the permissions on the files,
    Inside here dont allow them full control nor Delete folders or subfolders
    BUT ALLOW them the option to DELETE (this allows them to delete files)
    but dont allow them to take control or change permissions,
    nor Create Folders/append data (this prevents them creating folders, but they can still create files)
    You can then allow them the other options to create write read append etc etc.

    Ok this
    and still within the advanced option you should now have 2 versions of Science users,
    1 for Folders and sub folders
    1 for files only,
    them permissions if set correctly will allow the science users to create files amend them read them write to them delete them etc but they will not be able to take control of them and change permissions.
    They will have the same on folders except they CANNOT create rename or delete folders.

    Using this option you can keep real control over your folder structure and prevent it from getting into a real mess.
    The home directories would be simple to setup,
    The Public again simple as you can allow authenticated users what ever access you deem fit, but thats potentially asking for trouble.

    Instead of using the $ sign to hide shares you do not want users to find which lets face it is relatively easy to get round, Microsoft have an exceptionally good plugin which is free called Access Based Enumeration.

    Install this and no one who is not a member of Say your 2 Science groups will even see the science folder when they are inside the shared data folder because they are not members of the science groups or domain admins,
    this is impossible to get round and also in large shared directories helps users find what they are looking for really quickly as they only see what they actually have access too.

    Sorry I got a bit carried away there, time for a cup of tea.

    Author Comment

    Thanks....Good ideas.  I'm going to share the "Shared Data" out, allowing all Authenticated Users access.  I want people to be able to *EASILY* go to the share, see the 4 or 5 subdiretories, and then they either have access to some of them or not, and proceed from there.  I like your idea about haveing a "Managment" and "User" group for each subdirectory.....

    What is the easiest way to configure the "HomeDirs" folder so that each user has modify priveleges to only their folder and cannot see anyone elses, and Domain Admins have Full Control?  Once that's done, I'd like to automatically redirect users "My Documents" folders to their new home directories (which I believe I can do using my Default Domain Policy), and then automatically redirect their Outlook Archive folders to their new Home Dirs as well....Ideas?  Thanks.

    Author Comment

    Nevermind that last post, I figured it out.  AD, \\server\share\%username%.  Then I created a new GPO to redirect "My Documents" to "the users home directory".  Worked like a charm on a couple test users.  Now, HERE'S the important question....Can I somehow BLOCK the "My Pictures" and "My Music" directories from being redirected?  What a waste of space it's going to be if I have to store everyones iTunes directories and family pictures!
    LVL 9

    Expert Comment


    Author Comment

    Ok. ok....Small problem here.  Since I wan everyone to have a single drive mapping to this newly created share called "Shared", I do not want to share out each individual subdirectory.  I created one single share called "Shared".  Underneath that is "Science", "HR", Exec", etc....Not shared out, just subdirectories of "Shared".  I want all users to SEE all those subdirectories, but only be able to get into the ones they have permissions too. I like the above idea, so I created a "Users" and "Managers" Group for each of those subfolders.  The problem is that the "Managers" still can't create folders in their respective directories.  Is it because of the Share/NTFS permissions on the "Shared" directory, or on the NTFS permissions of the subfolders???
    LVL 9

    Expert Comment

    Before you start make sure you are logged in with an account that is either the administrator account or is a member of the administrators group or domain admins.
    To get the managers to be able to create in each of their respective sub folders you will have to go into the security tab of the relevant subfolders ie HR for example,
    Click on the Advanced button bottom left
    On the next screen
    Inherit from parent the permission entires that apply to child objects.

    You then get a pop up warning
    >>> Selecting this option means that the parent permision entries bla bla bla bla and on it goes etc etc etc.

    You can select Copy but that simply leaves the incorrect permissions in, so select Remove.
    You will now get another warning about how you are locking yourself out apart from the owner, the owner is whoever created this folder, I assume thats you, if not dont worry as you are an administrator you cant be locked out
    You now have no entries, thats ok.

    Now select ADD
    I would DEFINATELY add yourself in here or domain admins and administrator, upto you but give yourself FULL permission, so you have total control and no one else you cant trust.
    Apply that so you are not locking yourself out.

    Right now you have a blank canvas and can start adding back in the permissions I put in my 1st post.
    all you need to do now is simply add the managers group back in and the authenticated users back in as I posted above, ie preventing the authenticated users from creating folders and deleting them.
    And allowing the managers to CREATE and DELETE folders or basically what ever you want.

    Just test it out, trust me it works a treat once you get it fine tuned exactly as you want it.

    When you have this correct users will be able to only access what YOU ALLOW THEM
    LVL 9

    Expert Comment

    Tenover have you got this working,
    I notice you are using my approach in the following question whch also remains open, the above suggestion from myself will work once you have it set correctly.

    Author Comment

    It's still not working properly, *something* is wrong, and it's very hard to figure out what, or where....I still have the issue with users being able to create files and folders in the root of the share, and now I'm getting calls saying that users who are in their respective <departmentusers> groups, who, through the Advanced Security tab are supposed to be able to write and modify files but not folders, CAN'T write files.....Very strange.  I'm sure it's something basic, but I've yet to figure it out.  If anyone has a cut and dry way to make it work, I'm all ears....

    Oh, and one other thing, looking at your first post here....
    I have only ONE share (called "Shared"), and underneath that I have 10 directories (department names, such as "Exec", "Biology", etc...).  I want all users to be able to access the single share, yet NOT write ANYTHING into the ROOT of this share.  Then, through NTFS Permissions, I want users to be able to access their respective Departmentel folders.  I have two groups for each Department folder, "Users" and "Managers".  Users should be able to read, write files, modify, etc.....but NOT create or Delete subdirectories within their Departmental directory....  Managers should have everything but Full Control.

    Please help!  Thanks.

    Author Comment

    Ok, I got the issue resolved with users being able to write to the root share, I will give you the points for that.  The last issue remaining with this is that in the "users" group in each respective folder cannot append data if I uncheck "Create Folders/Append Data"...Is it all or nothing?  They need to be able to append data to exisintg files, but I didn't want them to be able create folders...Is that possible or not?  Thanks.
    LVL 9

    Expert Comment

    Yes of course,
    You MUST pay particular attention to the users in

    Im guessing your problem is you only have one instance of Authenticated users or say Exec or Biology what ever you have called them, having said that remember all users are members of Authenticated users so take this out if you DO NOT want everyone in induvidual shares, by the sounds of it you have cracked this anyway.
    Lets say you want the members of the Biology Group.

    Within the advanced button you need 2 instances of Biology,
    One is 2 stop them creating and deleting files and folders,
    and the other is to allow them to amend info to an existing file.

    If you look you will see the headings

    below these are your users and groups, APPLY TO is what your interested in,
    It probably states
    This folder and sub folders and files or Possibly just This folder and Sub Folders,
    that allows you to set permissions to the Folders as you wish.

    Then ADD
    Another instance of the same group ie Biology and when you get the Box open up allowing you to put the ticks in the boxes,
    use the drop down at the top and select Files Only

    This then allows you to set permissions on the Biology group either being able to add/create files if you want them to or simply amend existing files.

    I'm pretty sure your problem is that you DO NOT have 2 instances of the group you want to allow differant permissions on the folders and sub folders and again completely differant permissions on the files in the same folders.
    Once you have done this DO NOT get confused, because when you okay everything you will only have one instance of say the Biology group under the security tab,
    thats fine,
    its within the advanced button of the security tab you need 2 instances of your group your setting differant permissions for folders and files.


    Trust me its like everything in life, when you know how to do it, its obvious, when you dont its impossible to fathom it out or so it seems.

    Unfortunately I cant show you any step by step screenshots

    Thats ok as you use that.

    Let me know how you get on.
    LVL 9

    Expert Comment

    Were the above comments of help to you Tenover as we have not heard from you in a while???

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
    by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    This video discusses moving either the default database or any database to a new volume.

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now