Advice Setting up File Server Shares and DFS Namespaces

Posted on 2014-08-06
Last Modified: 2014-08-11
Sorry for the long-winded post.  I am looking for some advice and suggestions on structuring a new file server using Server 2012.  Below is what I planned on using for my file server hierarchy.  

- Applications (Folder for Shared Applications)
- Data - (Non-Shared Folder)
       - Departments - (Shared Folder)
               - Accounting - (Shared Folder)
                      - Accounts Payable - (Shared Folder)
                      - Accounts Receivable - (Shared Folder)
               - Human Resources - (Shared Folder)
               - Information Technology - (Shared Folder)
               - Marketing - (Shared Folder)
               - Production - (Shared Folder)
                     - Plant 1 - (Shared Folder)
                     - Plant 2 - (Shared Folder)
                     - Plant 3 - (Shared Folder)
                     - Plant 4 - (Shared Folder)
                     - Plant 5 - (Shared Folder)
               - Etc.
       - Projects - (Shared Folder)
               - Project 1 - (Shared Folder)
               - Project 2 - (Shared Folder)
               - Etc.
       - Public - (Shared Folder for users to share files with other users.  Files will be removed after 5 days. )
       - UserData - (Hidden Share to hold User’s Redirected Folders such as My Docs)

I envisioned simply mapping a drive letter to the Departments folder for all users.  Using Access Based Enumeration, when I user went into the Departments folder they would only see the departments that they have access to.  Each department is responsible for organizing and structuring the files within their share.  

Due to the fact that we are a small company and most people where multiple hats, almost everyone will need at least some type of access to multiple department folders.  For example, production will need to be able to drill down into the Engineering folder to open CAD drawings.  Customer Service will need to drill down into the marketing folder and view PDF files of literature pieces.  Customer Service will also need to drill down into the Engineering folder to view user manuals for our equipment.  You get the idea.  

Ideally, I would like for Customer Service to go into the Marketing folder and only see the folders that they have access to in order to retrieve literature pieces.  For example, the Customer Service group is given read access to the Marketing\Division XYZ\Literature\Product ABC directory.  As the Customer Service group traversed down to the Product ABC folder they would not be able to see any other folders or files along their way to get Product ABC directory.  For example, they would not see the folder Marketing\Division XYZ\Images directory.  However, I am not sure if this is possible or not.    

I have read articles that state it is not a good idea to have nested shared folders due to the fact that it can become a nightmare for setting proper permissions.  However, I am not sure how you could keep an organized folder structure without having nested shares.  I suppose that I could break out Accounts Payable and Accounts Receivable from the Accounting folder and have them under Departments.  However, if I broke out all of the subfolders for Accounting, Production, Quality Control and many other departments then I would have a very long list of shares under Departments.  

Although we will only be running one file server at this time, according to my reading it seems that it would be best to setup DFS Namespaces at this point in time to help “future-proof” things in case we add additional file servers and so forth.  It seems like putting in a little work upfront with DFS namespaces can save a lot of potential headaches down the road.  

With all of that said, I am looking for comments, suggestions and opinions on how I am looking to setup our new file server.
Question by:csimmons1324
    LVL 22

    Expert Comment

    by:Matt V
    We use a similar folder structure, and are just now implementing access based enumeration.  I can confirm that having shares mapped at multiple levels is a nightmare.

    We are using a share at each department level, and then access based enumeration to control what users see.

    Author Comment


    Do you have users from one department that need to access folders / files in another departments folder?  If so, then I am assuming you have nested shares so that you can set permissions on the subfolder(s) for those people that need specific access to only that subfolder.
    LVL 34

    Accepted Solution

    General rules \ recommendations for shared folders:

    Share root folders only unless you have very complicated access requirements
    Keep share permissions to Full Control for everyone \ authenticated users group and control user access on NTFS
    On root folder, assign authenticated users \ everyone NTFS List folder Contents permissions with applies to This Folder Only in advanced security permissions
    This will restrict users ability to browse each and every folder under root share and he can access only those folders for which he has got explicit access
    After initial sharing of root folder, on security tab remove inheritance in advanced properties
    Do not give any body full control NTFS permissions except administrators, try to keep NTFS permissions to modify maximumly as far as possible
    Remove Creator owner group from NTFS acl of root share folder, this is main culprit as it causes users will get folder ownership and can cause folder access issues to other users
    Avoid assigning NTFS permissions to single users, instead provide access to Global groups \ domain local groups, you can create groups for read only access, modify access and add required users in respective groups so that those users will get access correctly
    Ask folder owners to add \ remove users into above groups to revoke \ grant access
    Provide them delegated access on groups to add \ remove users if required

    Finally for cross department access, create common root folder and share that for all respective departments, if folder remains in between other root share folder, it will limit your managing power and folder structure become complicated specially when you wanted to restructure

    Enable access based enumeration and append share name with $ to hide them in normal windows explorer
    LVL 34

    Expert Comment

    Also DFS name space would be useful only if you have multiple file servers so that you can get benefited by redundancy for name space and can setup DFS replica.
    DFS replica can be treated as DR solution

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now