Advice Setting up File Server Shares and DFS Namespaces

Sorry for the long-winded post.  I am looking for some advice and suggestions on structuring a new file server using Server 2012.  Below is what I planned on using for my file server hierarchy.  

- Applications (Folder for Shared Applications)
- Data - (Non-Shared Folder)
       - Departments - (Shared Folder)
               - Accounting - (Shared Folder)
                      - Accounts Payable - (Shared Folder)
                      - Accounts Receivable - (Shared Folder)
               - Human Resources - (Shared Folder)
               - Information Technology - (Shared Folder)
               - Marketing - (Shared Folder)
               - Production - (Shared Folder)
                     - Plant 1 - (Shared Folder)
                     - Plant 2 - (Shared Folder)
                     - Plant 3 - (Shared Folder)
                     - Plant 4 - (Shared Folder)
                     - Plant 5 - (Shared Folder)
               - Etc.
       - Projects - (Shared Folder)
               - Project 1 - (Shared Folder)
               - Project 2 - (Shared Folder)
               - Etc.
       - Public - (Shared Folder for users to share files with other users.  Files will be removed after 5 days. )
       - UserData - (Hidden Share to hold User’s Redirected Folders such as My Docs)

I envisioned simply mapping a drive letter to the Departments folder for all users.  Using Access Based Enumeration, when I user went into the Departments folder they would only see the departments that they have access to.  Each department is responsible for organizing and structuring the files within their share.  

Due to the fact that we are a small company and most people where multiple hats, almost everyone will need at least some type of access to multiple department folders.  For example, production will need to be able to drill down into the Engineering folder to open CAD drawings.  Customer Service will need to drill down into the marketing folder and view PDF files of literature pieces.  Customer Service will also need to drill down into the Engineering folder to view user manuals for our equipment.  You get the idea.  

Ideally, I would like for Customer Service to go into the Marketing folder and only see the folders that they have access to in order to retrieve literature pieces.  For example, the Customer Service group is given read access to the Marketing\Division XYZ\Literature\Product ABC directory.  As the Customer Service group traversed down to the Product ABC folder they would not be able to see any other folders or files along their way to get Product ABC directory.  For example, they would not see the folder Marketing\Division XYZ\Images directory.  However, I am not sure if this is possible or not.    

I have read articles that state it is not a good idea to have nested shared folders due to the fact that it can become a nightmare for setting proper permissions.  However, I am not sure how you could keep an organized folder structure without having nested shares.  I suppose that I could break out Accounts Payable and Accounts Receivable from the Accounting folder and have them under Departments.  However, if I broke out all of the subfolders for Accounting, Production, Quality Control and many other departments then I would have a very long list of shares under Departments.  

Although we will only be running one file server at this time, according to my reading it seems that it would be best to setup DFS Namespaces at this point in time to help “future-proof” things in case we add additional file servers and so forth.  It seems like putting in a little work upfront with DFS namespaces can save a lot of potential headaches down the road.  

With all of that said, I am looking for comments, suggestions and opinions on how I am looking to setup our new file server.
csimmons1324IT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Matt VCommented:
We use a similar folder structure, and are just now implementing access based enumeration.  I can confirm that having shares mapped at multiple levels is a nightmare.

We are using a share at each department level, and then access based enumeration to control what users see.
csimmons1324IT ManagerAuthor Commented:

Do you have users from one department that need to access folders / files in another departments folder?  If so, then I am assuming you have nested shares so that you can set permissions on the subfolder(s) for those people that need specific access to only that subfolder.
General rules \ recommendations for shared folders:

Share root folders only unless you have very complicated access requirements
Keep share permissions to Full Control for everyone \ authenticated users group and control user access on NTFS
On root folder, assign authenticated users \ everyone NTFS List folder Contents permissions with applies to This Folder Only in advanced security permissions
This will restrict users ability to browse each and every folder under root share and he can access only those folders for which he has got explicit access
After initial sharing of root folder, on security tab remove inheritance in advanced properties
Do not give any body full control NTFS permissions except administrators, try to keep NTFS permissions to modify maximumly as far as possible
Remove Creator owner group from NTFS acl of root share folder, this is main culprit as it causes users will get folder ownership and can cause folder access issues to other users
Avoid assigning NTFS permissions to single users, instead provide access to Global groups \ domain local groups, you can create groups for read only access, modify access and add required users in respective groups so that those users will get access correctly
Ask folder owners to add \ remove users into above groups to revoke \ grant access
Provide them delegated access on groups to add \ remove users if required

Finally for cross department access, create common root folder and share that for all respective departments, if folder remains in between other root share folder, it will limit your managing power and folder structure become complicated specially when you wanted to restructure

Enable access based enumeration and append share name with $ to hide them in normal windows explorer

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Also DFS name space would be useful only if you have multiple file servers so that you can get benefited by redundancy for name space and can setup DFS replica.
DFS replica can be treated as DR solution
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.