Managing Data Access on Windows Fileservers: Tooling & Reporting

Step 5: Tooling & Reporting

Tools, Quality Checks, and Reporting

The last step in managing data access on Windows fileservers is implementing proper tooling and reporting. Management of folders through tools, quality checks, and reporting is important for maintaining the integrity of your IT infrastructure.

Without using appropriate tools for checking the permissions, effectively managing folders can be a cumbersome process and prone to security leaks.

A professional folder permissions tool will run a quality check and give a report listing all the users/groups together with their allowed level of access, allowing you to make informed decisions.

Even if you create multiple security groups with permissions for each individual data object, as much as this could seem to be a very large number of groups in the AD (Active Directory), a good reporting tool will make your life a lot easier.

Deploying a reporting tool will minimise any administrative confusions and the advantages will make you have more quality sleep.


Support Using Scripts

Scripts are versatile tools that can be used for managing folder permissions and ensuring their security.

The administration may seem confusing at first glance, but the construction of permissions can be mapped in an Excel worksheet, as explained in the previous chapter.

That is, the administration of permissions can be monitored using a simple Excel table. One can, for instance, create a matrix for every object type (file access, mail distribution, SharePoint access).

By using a simple VBA or PowerShell script, the permissions can be transferred to the AD automatically.

In this way, an administrator does not have to have direct access to the file system. In addition, administrators will no longer have to fight through the AD and the file server ADLs.

By running a script, requests requiring changes in the permission structure can be easily taken care of.

Support Using Tools

There are, of course, comfortable systems for taking care of administration tasks that provide the administrator or person in charge of permissions with a nice UI with many possibilities, especially if none of them have scripting experience.

These tools make it possible for a less-skilled administrator, who does not have a deep knowledge of permissions assignments in the NTFS file system, to carry out administration tasks quickly and easily.

In other words, these tools make it possible for the administrator to have a life without worries, since he/she will no longer need to spend a lot of time administrating groups in the AD and does not have to work on the permissions in the file system again and again.

Instead, the administrator will be able to allot additional time to more meaningful tasks.

Security Analysis and Reporting

C:\Users\carst\AppData\Local\Microsoft\Windows\INetCache\Content.Word\separated index02-11.png

When the assignment of groups to folders has been done, it is possible, with some effort, to do manual analyses of the effective permission holders.

Everyone who is a member of a certain group will have a specific access permission to a specific object and, if necessary, its child objects. That means that the access possibilities in each area can be shown by a simple analysis of group memberships.

Here is an example of a simple PowerShell script that lists who can access “Accounting” and which permissions each of them have.

The same is true for persons (Individual Active Directory accounts). An employee is a member of certain access groups.

Because of the uniqueness of the membership, it is possible to show immediately which objects the employee can access and what permissions he/she has.

But what if the security groups are nested? For instance, what if a group is itself a member of another group, whose members have access to a specific folder.

In such a case, the analysis will be more time-consuming and prone to errors, as it is easy to lose track of things in more complex contexts.

As already mentioned, professional tools offer far more possibilities and a more comfortable user interface. In addition, such tools do not require coding expertise and can be provided to the data owner or even directly to users.



Surveys show that only about half of all IT administrators document their work. Thus, many are not documenting how the administration of permissions is taken care of or who, why, when, and where permission was gained or revoked and by whom.

If there is a data security breach or audit, this lack of planning can have serious consequences.

As an administrator, you should ensure you keep updated and audited reports of folder permissions; otherwise, the security consequences could be difficult to contain.

No Tools for Managing Security Rights

C:\Users\carst\AppData\Local\Microsoft\Windows\INetCache\Content.Word\transparency index03-01.png

Without any tools to manage security rights, you will lack control over your critical infrastructure.

The complexity of IT is constantly increasing. This applies not only to applications, networks, data quantities, and possibilities, but also to globalisation and the use of resources that are not on-site or that have been leased.

Administrators are being confronted with increasing demands and are frequently overburdened and unable to cover the breadth of all of their activities.

Because of that, it is imperative to deploy tools to make the work easier, reduce the effort required, generate automatic documentation, and maintain the integrity of all processes.

Download Checklist

Click here to download a checklist that will assist you with implementing proper tooling and reporting


For the previous couple of articles, we’ve talked about the following five steps to managing access on Windows fileservers effectively:

We hope you’ll make use of the steps to take your data access management to the next level.

Do you have any comments or questions?

Please post them below.

Managing Data Access on Windows Fileservers: Assignment of Users

Step 4: Assignment of Users

Assignment of Users to Active Directory Security Groups

The fourth step in managing data access on Windows fileservers is properly assigning users to active directory security groups. If this is not done correctly, it can lead to unauthorised access to shared data and critical losses to your IT infrastructure

Security should be implemented through well-defined groups. Users should be assigned to groups and the groups granted the rights to access the folders.

This way, the users enjoy access to the folders based on the group privileges. Since it’s easier to maintain the integrity of your systems by managing groups than individual users, users should never be granted access rights to folders directly.

In most cases, ordinary users should not be assigned Full Control permissions. This permission level is a huge security risk because users can misuse it. Worse still, if it gets into the hands of attackers, it can lead to heinous consequences.

It is recommended to implement a least privilege permission level and minimise the permissions required to allow access. Usually, Read and Write permissions are sufficient to allow users to complete most tasks.

The basis for the assignment of users to folders is a rather complex question and answer game.

For each folder that needs to be protected with permissions, ask the person responsible for the data which users should receive which access rights. Please follow the processes described in the previous chapter.


You can use a permissions matrix to help in gathering necessary data and providing documentation for the permissions assigned to users. These matrixes can easily be made using an Excel table.

For each folder that needs its own permissions, make a row. In the columns, the users that have access to the folder will be recorded. The necessary permissions can be specified with a “W” for “Write” permissions and an “R” for “Read” permissions.

With this matrix as a starting point, you can plan and create security groups within the Active Directory and assign users to the appropriate groups.

These tables should ideally be administrated directly by the person responsible for the data in question (the data owner).

A matrix should be created and maintained for each department. Otherwise, a very large matrix should be used to administrate the permissions for all departments, in which case other persons should not be allowed to change the content of cells.

Importantly, once the matrix has been created, it is essential to implement a continuous authorisation process in which the assigned permissions are audited. This way, the data permission integrity will not be compromised.

If an authorisation process is not adopted, it can make the permissions to revert to their previously chaotic state and cause security risks, such as privilege creep.


An employee from Human Resources needs to read the vacation lists from Sales. This is stored in: “\\Department\sales\planning”

So that the HR employee does not gain access to the entire “Sales” folder and subfolders, he/she must first be put into the LIST Group for that folder. By using this step, the HR employee can open the “Sales” folder, but cannot read or change data. At that point, the HR employee must be assigned to the group “FG Sales Planning R”, which granted them “Read” permission for the subfolder. That employee will then be able to access the subfolder planning and read the data within.

In short, this “LIST” permission allows someone to “take a walk” through a closed area.

No Assignment of Individual Permissions

C:\Users\carst\AppData\Local\Microsoft\Windows\INetCache\Content.Word\separated index02_Artboard 4.png

As earlier mentioned, you should never assign individual permissions to users. Using security groups to control access to critical data minimises the risks of direct permissions and ensures easy management.

However, the permission structure is not always as simple as the company structure. Often, it will be necessary to create permissions that originate outside of the data area.

For instance, it might be necessary for an HR employee to have access to the company’s personnel planning table, which is located in the data area of “Sales”.

In this case where sensitive information should only be accessed by a specific individual, the IT administrator should not assign the HR employee to the Sales group. Instead, the administrator should provide that employee with permissions for this folder as an individual or even provide only the permission for a single file.

Failing to assign rights well will have fatal consequences:

  • If a search is to be done to find out where an uncooperative user has access permissions, it would have to be conducted on all servers, which is a difficult and demanding task.
  • If an employee changes their area of work or department, it is no longer easy to know which permissions must be changed. If there is no documentation, no one will know what permissions that employee had.
  • If an employee leaves the company and their account is deleted, then an “SSID corpse” (an unreadable identification code no longer be associated with a person) will remain in the ACL list of the folder.

Download Checklist

Click here to download a checklist that will assist you with assigning users to active directory security groups.


In the next step, we’ll talk about implementing proper tooling and reporting.

Managing Data Access on Windows Fileservers: Assignment of Groups

 Step 3: Assignment of Groups

Assignment of Users to IT-Objects (Folders)

The third step in properly managing data access on Windows fileservers is to use security groups for assigning permissions.

A group consists of a set of users who have been granted certain permissions. This way, implementing and managing permissions become easier rather than assigning permissions to individual users.

To give users access to data (whether the data consists of email distribution lists, file structures on file servers, or SharePoint spaces), administrators can create groups and assign them the necessary permissions.

For example:

You can give an employee from the Sales Team direct access to the folder “\\departments\sales” with “Full Control” permission. Doing so will allow the user to read the data and make changes to it. But what else will that user be able to do? With “Full Control” permission, that employee can also assign permissions and revoke them. Potentially, he/she could revoke access permissions for all other users, including administrators. Therefore, assigning such individual permissions is not considered a best practice and can lead to administrative nightmares. It is recommended to assign permissions via Active Directory groups. What if this user only needs permission to read data? Should this access be the same for each individual member of the sales team?

C:\Users\carst\AppData\Local\Microsoft\Windows\INetCache\Content.Word\separated index02-08.png

Assignment of General Security Groups to IT-Objects (Folders)

The usual, though incorrect, approach for creating permission structures is as follows:

A permission group is created for a department (e.g. Sales). At the same time, data areas will be created (e.g. file services, SharePoint spaces, and mail distributions).

The group “Sales” will then be assigned to these data areas. For example, this group gets “Write Access” permission for the file server folder “Sales” and “Read” permission on the web server. The mail distribution group is also taken care of using this authorisation group.

C:\Users\carst\AppData\Local\Microsoft\Windows\INetCache\Content.Word\separated index02-03.png

Next, we are faced with the following challenges:

  • The managing director would like to have access to “Sales”, but does not want to receive email from that group. Should the managing director be automatically put into the “Sales” group?
  • A trainee starts in “Sales”. He does not need access to mail distribution, but only requires “Read” access to the data areas. What permissions should he be given?
  • An employee from Human Resources needs “Read” access to a subset of the data area, but not to the web server. How will we proceed in this case?

In all the above cases, the simplest approach is no longer viable due to the following dilemma:

The permission groups should be constructed on the basis of the organisation’s structure, not on the demands and requirements of the data objects.

Permission Groups vs. Secure Objects (Folders)

The solution for the problem described above is as follows:

For each IT object, (in our example, each folder in the file system), access requirements must be defined. For all underlying objects, (in this case, more folders and files), this will be done implicitly through inheritance of permissions. This principle means that at least one security group must be created within the Active Directory for each object requiring permission (e.g. each folder).

This assignment of dedicated permission groups to each folder with permissions has all the desired benefits for daily operations and reports.

For each folder, it is possible to say exactly who has which permissions and access to the data in said folder, such as the users who are members of these particular permission groups.

Furthermore, we know what a user’s permissions will be thanks to the uniqueness of the assignment of an object (folder) to a permission group.

It is important to give the security groups succinct and intuitive names. With a proper naming approach, the permissions can easily be associated with their specific groups, making administration easier.

You can also nest security groups (add groups to other groups) to lower the number of permissions that are required to be awarded to users or groups individually.

It can be said that a 1:1 relationship exists between the objects (our folders) and the groups within the Active Directory, while a many:many relationship exists between the users and permission groups.

For the moment, we will ignore the fact that different groups are created for “Read” and “Write” permissions.

The below diagram shows how this works:


Different Permission Groups for One Folder

For our example, we will create three security groups within the Active Directory for each folder that requires permissions:

  • A group for the award of LIST permissions
  • A group for the award of READ Permissions
  • A group for the award of WRITE Permissions

The below screenshot shows the three permission groups for the folder “\\departments\Sales”:

“Read” permissions are assigned when a user only needs to read files within a folder. For example, all public information about a project in the folder “Project Office” or all lists with sales prices in the folder “\\departments\Sales\Items” would be covered under “Read” permissions.

“Write” permissions will be awarded only if a user needs to alter files. It is important to keep in mind that assigning “Write” permissions also gives the user the permission to delete.

In the two examples above, “Write” permissions would be assigned to the staff members in project management or the project office who create and maintain information, as well as the staff members from the sales team who specify the sales prices based on internal calculations.

List permissions are required when a user needs rights to the folders deeper down in the file tree, but he does not have “Read” or “Write” permissions for all the folders on the levels above.

This will ensure that the user can access the folder to which he/she has received permissions.

With Excel and some knowledge of scripting, it is possible to construct a simple way to create and administrate these security groups with folder permissions.

Restriction of Folder Permissions and Assignment of Permissions to Permission Groups

After all the necessary security groups have been created within the Active Directory, it is necessary to give these groups permissions for all appropriate folders. One should start with the highest folder in the hierarchy. In our example, that would be the “Sales” folder.

The process of allocation of folder permissions is done in three steps:

i). In the first step, any existing inherited permissions must be deactivated or revoked.

This will ensure that the folder will only have explicitly assigned permissions. If you deactivate the permissions, you should also delete the associated user account(s) from the Active Directory so that the user(s) no longer enjoy access.

ii). In the second step, the permissions for the administrator group must be created. The following best practices are worth taking note of:

  1. The built-in account “system” receives “Full Control” permission. This is important since the operating system uses this account for certain services and processes. Thus, you should ensure that this permission is always granted.
  2. The local group “Administrators” will likewise receive “Full Control”. This ensures that the server administrators always have access to the necessary data and permissions. In addition, some backup programs also need these permissions to function correctly.
  3. Furthermore, you should create a security group for operators and administrators with “Full Control”. This guarantees that the IT administrators have the necessary permissions for the daily operation of the file server.

iii). In the third step, the security groups created for each folder must be assigned to the folder. The awarded permissions will be assigned as follows:

Awarding Additional Permissions for Deep Data Sub-Structures

C:\Users\carst\AppData\Local\Microsoft\Windows\INetCache\Content.Word\separated index02-07.png

You should avoid setting the level for managed folders to go very deeply within your folder structure. You can limit your folder structure to go not more than the fifth level.

If there are no restrictions on the number of levels in the file structure for the assignment of permissions, the complexity of the administration tasks increases exponentially. Suppose that the average number of subfolders in a file system is 10.

The complexity of the administration and documentation of the highest-level folder will be 10. If a second level is included, the complexity will increase to 10×10 or 100.

If we further assume that the average folder depth is 10 and that there are no restrictions on folder authorisations, the management complexity will be 10 billion.

That means an IT administrator may theoretically be required to manage 10 billion permissions. This further complicates documentation, reporting, and changes.

Avoid “Deny” Permissions

C:\Users\carst\AppData\Local\Microsoft\Windows\INetCache\Content.Word\separated index02-09.png

The need to deny a user access to a specific folder does not mean that you should use the “Deny” permission, as doing so increases the complexity of administration, documentation, and reporting by an unnecessarily large magnitude.

For example, during each assignment of permissions, all “deny” groups within the parent data areas must be checked.

When planning the folder structure, one must always keep this consideration in mind and structure the files with their permission groups in such a way that the “Deny” permission is not used at all.

In practice, this is easily possible if you present the users with a folder structure and do not capitulate to the requests of every staff member.

Do Not Use the “Share” Permission

C:\Users\carst\AppData\Local\Microsoft\Windows\INetCache\Content.Word\separated index02-10.png

When creating shares within a file system, it is possible to restrict access to the shares to which “Share” permissions have been given.

This unnecessarily doubles the complexity of administration. Instead, one should generally assign a “Write” permission.

Furthermore, to avoid unwanted attempts to gain access, one can hide the shares (by putting a $ sign at the end of the share name).

In Windows Server 2012, the “access-based enumeration” setting has the effect that a user will only be able to see a folder if he/she has a permission to see it.

Download Checklist

Click here to download a checklist that will assist you with using security groups for assigning permissions .


In the next step, we’ll talk about assigning users to active directory security groups.

Managing Data Access on Windows Fileservers: Processes and Responsibilities

Step 2: Processes and Responsibilities

Definition of Business Processes and Responsibilities

The second step in properly managing data access on Windows fileservers is to clearly define business processes and responsibilities.

Each user has a specific responsibility within the business premise. To carry out the various processes and realise the business’ goals, every user should be granted the privileges to access certain resources and undertake particular tasks.

However, allowing users uncensored access to system and network resources within the organisation can weaken its security and stability.

Importantly, access to computer or network access should be restricted based on the responsibilities of individual users within the organisation.

If a user is not responsible for a particular business process, there is no need of granting him or her permissions to perform the task.

Since controlling access to business data is the foundation of data security and, in some cases, of data privacy, universally applicable, mandatory processes must be defined together with someone from senior management.

The process of defining processes and responsibilities should be based on a comprehensive assessment of how a business operates, and should include input from the management.

The management must also be willing to give its full support to the implementation and enforcement of the role-based access control (RBAC) rules.


What are Business Processes?

Business processes define work flows and responsibilities. In addition, processes can also outline the tools required or recommended for the execution of said processes.

Some examples of processes:

  • Data requests
    • Requesting permissions
    • Changing permissions
    • Withdrawing permissions
  • Creating new objects
  • Assignment of and changes to responsibilities
  • Assignment and modification of owners
  • Expansion of storage requirements

Processes are often presented in the form of diagrams. Below, you will find a simple example of an assignment of permissions.


Compliance with these processes must be mandatory.

To ensure mandatory compliance, one must have the support of senior management or IT management, who must then communicate the necessary access control rules to all employees.

What are Responsibilities?

Responsibilities are defined based on the user’s competency, functions, and authority.

In an organisation, responsibilities can be created, changed, or discontinued depending on the prevailing needs and goals to be accomplished.

Responsibilities describe the types of processes that users are allowed to accomplish within the organisation.

Through assigning responsibilities to users, the management can ensure various processes are completed based on the intended goals to be achieved.

The IT department should work together with the management to ensure that users do not have access to resources beyond their stipulated responsibilities or level of control.

In case of changes in responsibility, the access level for that user should be adjusted as soon as possible. If a user has unnecessary access to a particular system, it can hamper the smooth running of the business process.

The following scenario illustrates how responsibility can be managed:

Irene works in the Marketing department and requires to view—but not create or modify—certain files from the Finance department. The Finance department, which is fully responsible for these files, utilises access control to restrict the users allowed to have Read-only, Write, or Modify access to them.

Irene is granted Read-only permissions to the Finance files. Likewise, the IT department resolves that preventing users such as Irene from creating changes to their systems can assist processes within the company run smoothly and enhance security.

Consequently, IT moves Irene and other users to the Users group, which restricts their actions to their assigned responsibilities and prevents them from making any reconfigurations to the system.

As a result, Irene has access to the resources she needs to undertake her responsibilities, the security of the processes within the organisation are improved, and stability of the network is solidified.

Responsibility of the Executive Board or Management

Administrators are responsible for the management of IT infrastructure, but they are not responsible for file structures or business processes concerning the assignment of permissions to data or other IT objects.


Often there will be few or no documented IT processes, which indicates that documentation is not being done well enough.

Unfortunately, senior management will often place the responsibility for permissions in the hands of the IT administrator.

This is not a good idea. For instance, decisions regarding whether an employee shall have access to sales data will time and again prove to be poor decisions, especially if the “applicant” has better argumentation skills than the IT staff member or is located in another level of the company hierarchy.

In other words, if the head of the “service” department wants his employees to receive permission to access data in the “sales” department, the decision should only be made by the head of the “sales” department.

Managing Changes in Responsibilities

The responsibilities of users should be aligned with their data access privileges. In case of changes in responsibilities, the previously allowed rights should be revoked and proper adjustments made.

For example, giving new staff members with new responsibilities a handbook that describes the IT environment of the company and all of the company’s IT processes has been proved to be extremely beneficial in managing changes in organisations.

If a new employee requests for access rights, the data access privileges should only be awarded when the mandatory approval process has been successfully carried out – without exception.


To demonstrate the execution of the individual steps in a process, it is necessary to have so-called “Use Cases”. Use Cases are step-by-step explanations of how an administrator (for example) creates a new file folder with individual permissions, especially when users change roles in an organisation.

Further examples are:

  • Awarding a new user permission to access a particular data area
  • Revocation of an old user’s permission to access a particular data area


Lack of Compliance with Business Processes and Requirements

Employees will frequently attempt to circumvent business processes. A typical example of this would be a call to the IT department, without filling out the required permission forms, to gain certain permissions.

This will typically be justified by arguments like “it’s important”, “it’s urgent”, “I forgot to fill out the forms, but the new staff member is already here”, “I have specific instructions from the boss”, “if I don’t get the permissions immediately, then….”

In such cases, the IT staff member will normally fail to document the assignment of permissions.

The reason that there was “not enough time” will often be used to circumvent clear instructions regarding file folder structures or permission concepts.

The following scenario is a good illustration of this:

There is a requirement that access permissions for a file server may only be given on the file folder level. Despite this, the department head makes a request to receive the necessary permissions to access a specific file.

To resolve this conflict, the IT administrator will have to create a new file folder and put the file into it. It would then be necessary to create and assign all permissions for this file folder.

Instead of doing that, IT administrators will frequently try to save time and give the department head the requisite permissions for the file as a “one-off” exception.

Best Practices

Here are some practices you should follow to ensure proper management of processes and responsibilities:

  • Implement the principle of least privilege, where users are granted the minimum access rights to carry out their responsibilities. This assists to ensure that if a user’s account is hacked, the consequences to the business processes are minimized by the limited rights the user possesses.
  • Periodically audit the responsibilities within the organisation to ensure they are aligned with the stipulated processes. If not, revoke the unnecessary permissions and make proper adjustments.
  • Do not give in to the temptation of creating exceptions for circumventing the already assigned responsibilities and rules. If you do this, you will be avoiding complying with business processes and requirements, and endangering the security of the organisation.
  • Recognise that not every employee requires a starring role, and properly grant access rights based on the stipulated responsibilities, and nothing more.
  • Ensure that the IT department works together with the senior management so that employees’ access privileges are properly aligned with their responsibilities within the organisation.

Download Checklist

Click here to download a checklist that will assist you with defining business processes and responsibilities.


In the next step, we’ll talk about using security groups for assigning permissions.

Managing Data Access on Windows Fileservers: Planning

 Step 1: Planning

Designing Folder Structure and Policies for Permission Assignment

Foremost, to successfully manage data access on Windows fileservers, sufficient planning is necessary—or failure could ensue.

Comprehensively planning the designing of folder structures and policies for permission assignment will greatly minimise administrative headaches and maximise productivity.

Planning how to set up folder structure for deployment to your team is indispensable. In the absence of planning, all your efforts to manage data access may fail to yield the desired results.

Incorporating some planning can transform your shared-folder environment into the land flowing with milk and honey.

To successfully and efficiently operate a complex Windows Folder Structure without any hassles or security leaks, you have to take the following points into consideration:

  • Plan a folder structure to store the users’ data files (documents, slides, graphics, drawings, etc.)
  • Plan the shares
  • Plan the Active Directory security groups
  • Plan the permissions


Why is Planning the Design of Folder Structure Important?

If there is a lack of definition for any of the above topics or if substantial mistakes are made in the planning phase, the problems that occur during operation will increase with each day.

Thus, you will require more time for operations, analysing problems will become more difficult, and the necessary enhancements will require far more effort to archive.

Most of the time, the only solution will be to plan and create a completely new Windows filesystem environment, which will include a time-intensive data migration into the new folder structure.

The first step is to setup a folder structure and assign the appropriate permissions to that structure. The next step is the long-term daily management and operation of that environment.

Below are some of the real-life situations that a Windows administrator could have a hard time dealing with if a proper folder structure is not designed from the start:

  • The project manager urgently needs a new folder added to the project share with permissions set for only the project office.
  • The employees in the accounting department change so often that, every day, a new employee needs to have permission assignments while exiting teammates need their permissions removed.
  • The boss of the legal department has doubts that his data is secure and requests a list of the data trustees for his folders.

Huge mistakes will make the administrator’s job far more stressful and will force them to do many routine operations and tedious tasks. Such wasted time can be invested in much more useful technologies.

What’s the importance of planning for authorisation concept?

A solid, comprehensive plan will help avoid problems! The key to a secure and stable Windows Share and Folder environment is a solid authorisation concept. If this is in place, you can trust in the security of your data!

It is important to plan for an access authorisation concept before your IT administrators create new data structures within your system, no matter if those structures are for file data, web pages (Microsoft SharePoint), databases (MS SQL Server), applications, mailing lists, or folders (Microsoft Exchange).


If this authorisation concept is missing on all levels, especially for:

a) use cases, such as:

  • Permission assignments for users
  • Withdrawal of permissions for individual users in individual access areas
  • Simple reporting of access rights

b) and business processes, such as:

  • Approval processes for data access
  • Approval processes for the creation of new objects in the data structure

then, the tasks of day-to-day management and medium-term reporting will no longer be easily implementable.

These tasks will grow increasingly time-intensive as more uncertainties and security risks manifest.

This is a nightmare for every IT administrator and security officer. Therefore, proper planning beforehand is essential.

Creation of a Windows Folder Structure

What kind of plan should you have for smooth daily operations?

The needs of your organisation will likely determine the way you plan for the creation of a Windows folder structure.

If you have a plan that allows for a folder structure that is intuitive and easy to navigate, it will greatly smooth daily operations and maximise productivity.

You should ensure that poor practices and inefficient workflows are not included in your planning.

C:\Users\carst\AppData\Local\Microsoft\Windows\INetCache\Content.Word\separated index02-03.png

Here are some questions to consider when planning your structures:

  • How should data files get organised? Are users allowed to create folders on their own?
  • Who is responsible for moving, owning, and maintaining the data? Whom do I speak to if an employee from one department requests permissions for a folder in a different department?
  • How should the shares be designed? For instance, does every department need its own share? Is one share per business domain enough?
  • How should the structure for the folders in the Active Directory be built? How should the Active Directory security groups be designed?
  • How should I name the shares, folders, and Active Directory security groups?
  • Should folder depth be limited? Is it efficient to manage the permissions of folders five levels deep?
  • How should users who are assigned to specific folders gain access? Why shouldn’t users be directly assigned to those folders? Do users need different levels of access or are groups suitable?
  • How should the files and folders be backed up? How do I guarantee the software will be able to access all the data within the structure?
  • Are there any specific security concerns around your shared content?

Do your administrators require full access to users’ content?

To answer these questions, you’ll need to define some policies for permissions assignment:

  • Policies for file and folder structures
  • Policies for every data owner; that is, who is responsible for which folder
  • Policies for shares
  • Policies for security groups in the Active Directory
  • Policies for naming conventions for shares, folders, and groups
  • Policies for folder nesting depth limits
  • Policies for permission assignments of users to gain access
  • Policies for permission assignments for backup service accounts, operators, and administrators

Some Suggestions

Here are some real-life examples of defined policies:

  • Shares: The amount of shares is not limited.
  • Shares: The names should not be longer than 10 characters. Special characters are not allowed.
  • Folders: The amount of folders is not limited.
  • Folders with Permissions: The name of a folder should not exceed 15 characters. Special characters (_ and ,) are not allowed.
  • Permissions: Permissions are assigned to folders, never to shares or files. Only permissions of type “Allow” are allowed. Never assign permissions of type “Deny”.
  • Folder Nesting: Only assign security groups permissions to folders in the first or second hierarchy level. Child folders do inherit the permissions of their parent folders.


  • Security Groups: For every folder with necessary permissions, an appropriate security group is created in the Active Directory.
  • Naming Convention: Name security groups like this: FS_<sharename>_<foldername>[_<foldername>]_<permissions>
  • Quota: Every folder with permissions will get a default quota of 100 GB. Enhancements should be requested by the data owner.
  • Responsibility: For every folder with permissions, a responsible individual must be defined to manage said permissions. This person will decide who gets which kind of access permissions or quota enhancements.


When your IT team takes all these policies and rules into consideration, you will be able to avoid most of the problems mentioned earlier.

Best Practices

Here are some practices you should follow to ensure quality planning when setting up your structures:

  • Define your policies and rules in detail. This step will help you ensure simple administration and smooth daily operations.
  • Exceptions must always be documented.
  • Never assign permissions to shares. Only assign permissions to the underlying folders!
  • Never assign full control to shares or folders. This could lead to administrators accidentally being locked out by users.
  • Remove “creator” and “owner” permissions. Having such permissions could lead to lock outs.
  • Only assign full control to the folders within the internal system account.
  • Plan for your sensitive, confidential data to live towards the top of your structure (at a higher folder level). This way, you can easily restrict unauthorised access.
  • To enhance efficiency, ensure the folder structure is as flat as possible. A quick rule of thumb is to set the limit for managed folders to go as far as the third level within your structure. Beyond this level, if users create more folders based on their needs, those folders will not have any permissions assigned to them.
  • The IT department should never be the data owners. Any data owners must be an employee of an appropriate department.
  • Observe clear, consistent naming conventions for folders. This way, a user can easily search for content without losing focus.
  • For external collaboration, create separate and clearly labeled folders. For example, you can create a separate root level folder for communicating with third parties.
  • Plan to actively police permissions by frequently cleaning out unnecessary and un-audited permissions.

Download Checklist

Click here to download a checklist that will assist you with planning on how to manage data access on Windows fileservers effectively.


In the next step, we’ll talk about defining business processes and responsibilities.

Managing Data Access on Windows Fileservers: Introduction

Windows fileservers are usually seen as convenient storage systems for managing data access within an organisation.

However, fileservers are a mixed blessing: aside from being effective in providing easy user access, their improper management is often the headache of the IT department.

Unauthorised access to shared data, distortion and even deletion and alteration of files and folders, as well as illicit exfiltration of sensitive data are some of the pains that fileservers cause to most small and large organisations.

Importance of  managing data access on Windows fileservers

Here are five reasons why properly managing data access on Windows fileservers is important.

1. Prevent Privilege Creep

Privilege creep is a security nuisance that occurs when a user gathers excessive access rights than initially intended.

If a user’s access privileges are not revoked, particularly after changing roles within the organisation, it can result into a privilege creep.

For example, if a manager with access rights to important company files is demoted, and the rights are not revoked, he may misuse the privileges and cause major damages.

Why is preventing privilege creep important?

  • An employee with unrevoked privileges can maliciously access important data and bring the company to its knees
  • If an account of an employee with uncleaned privileges is hacked, it can lead to more excessive damages
  • Managing user accounts with excessive privileges is burdensome and costly

2. Prevent Data Breaches

If access to Windows fileservers is not properly managed and unauthorized access prevented, it can result into heavy data loss and theft.

Data breaches are a nightmare to organisations worldwide, with a recent study estimating that they led to losses of about $3,62 million in 2017.

Currently, most organisations have invested in heavy IT infrastructure where a huge number of files and folders are accessed frequently.

In such a scenario, tracking unauthorised access whenever there is inappropriate access to sensitive files and folders becomes difficult, unless there is considerable investment in managing access.

If security logs are regularly examined, network is regularly scanned, and outbound traffic is regularly monitored, it can substantially reduce the potential risks of data breaches.

3. Better Auditing of Sensitive Folders and Files

Properly managing data access on Windows fileservers assists in better auditing and tracking on the usage of sensitive folders and files.

If permissions are granted to users, the actions they undertake, such as file creation or modification, can be tracked.


With proper management, it is easier to get answers to “Who”, “What”, “When”, and “Where” questions concerning any alterations made by any user in Windows fileservers within the network.

This way, if the auditing reveals wrong usage, the permissions can be revoked to ensure security is maintained.

The following example is an illustration of this:

A user group can be granted permissions to “List folder contents”. This permission allows the group to view and list the items present in the selected folder.

However, if the auditing reveals that the user group also has other unintended permissions, they can be revoked and reassigned.

4. Provide complete visibility of fileservers

Practicing proper management provides comprehensive information on every access event taking place across the Windows fileservers.

With complete visibility of every user activity across the organisation’s fileservers, improper settings and security loopholes can be prevented.


The following example is an illustration of this:

If a visibility analysis reveals that “Deny” permissions have been assigned to a folder, it implies that Allow permissions will be overridden, leading to insecure administrative hurdles that are difficult to solve.

Therefore, with complete visibility of the fileservers, such improper settings can be avoided.

5. Saves Time and Efforts

Properly managing data access on Windows fileservers also lessens the wastage of time and energy associated with various fileserver activities.

The following example is an illustration of this:

If a security group is nested it can lead to wastage of time and efforts in keeping track of the various fileserver activities.

In case a group belongs to another group, whose members can access a particular folder, any analysis will be time-consuming and prone to security flaws.

C:\Users\carst\AppData\Local\Microsoft\Windows\INetCache\Content.Word\separated index02-03.png

However, with proper management, considerable amount of time can be saved in ensuring the best practices are observed for optimal network security.


In the next couple of articles, we’ll talk about the five steps to managing data access on Windows fileservers effectively.

Here are the steps we’ll cover:

How to Prevent Privilege Creep With FolderSecurityViewer

Ensuring the right access privileges are aligned with appropriate user roles is usually the headache of the IT department.

If there is a mismatch between a user’s responsibilities and their access privileges, it poses serious security risks, including data breach, exfiltration of sensitive information, and implantation of viruses and worms on the company’s systems.

In this article, we are going to talk about how to prevent privilege creep using a versatile tool known as FolderSecurityViewer.

What Is Privilege Creep?

Typically, privilege creep refers to the steady gathering of un-audited access rights beyond what a person requires to complete their tasks.

If a user requires rights to access an IT infrastructure, and sufficient justification has been given, those rights should be given.

However, when that same individual no longer needs those rights, and nothing is done to remove them, they remain unchanged. Over time, with the addition of more roles, a person can gather unnecessary and insecure rights.

How Privilege Creep Occurs

Simply, privilege creep takes place when users’ privileges are not cleaned out, especially after changing roles. Promoting employees, demoting employees, or carrying out transfers within departments are the major cause of access creep.

For example, a manager is hired and granted the access rights to the sensitive IT systems in a company. After some months in the position, he is demoted and a new manager is hired to replace him. However, instead of the access rights of the old manager being revoked, he still retains them.

The same scenario can happen when an employee is transferred to another department or an employee is promoted to a higher position. Also, if an employee is granted temporary access permissions to cover for vacations or prolonged absences, and the rights are not rescinded, privilege creep can ensue.

Dangers of Privilege Creep

Privilege creep usually leads to a two-fold security risk to organizations. The first risk occurs when an employee who still has uncleaned privileges gets tempted to gain unauthorized access to a sensitive system.

In most organizations, security incidences take place because of dissatisfied employees attempting to cause damage or just ‘make a point’. If such employees have unnecessary privileges, they can maliciously gain entry into systems away from their immediate work station, making finding them out difficult.

Second, if the user account of an employee with excess privileges is hacked, a criminal can collect more information than if the privileges of the account were not excessive. If an account is compromised, it becomes the property of the attacker, and it is more lucrative if it has excess rights.

How to Avoid Privilege Creep

Carry out access reviews

The best technique of avoiding privilege creep is carrying out frequent, thorough access reviews. The IT department should regularly confirm every employee’s access rights to ensure the unnecessary accumulated privileges are revoked.

If a company has invested in a robust identity and access management system (IAM), undertaking access reviews become less taxing and making decisions concerning employees’ continued access become easier. Implementing an IAM system will ensure granted access privileges are appropriately authenticated and audited.

Importantly, when conducting access reviews, the principle of least privilege should be applied. The permissions granted to users should be limited to the minimal level that enables them to carry out their tasks without any difficulties. For instance, someone in the HR department should not be given the privileges of accessing the organization’s customer database.

Access reviews should be maintained throughout the year, with a frequent rotation in every department within the company. Every employee, from the CEO to the lowest-ranked, should have their access permissions periodically reviewed, especially when there is a change in roles.

Communication of changes in roles

In case any employee changes roles, it should be promptly communicated to the IT department. If formal notification is not done, the IT department may not revoke the employee’s access rights, which can lead to harmful consequences.

So, the HR department should work together with the IT department to avoid such lapses, and enhance the security of the company’s infrastructure.

Ensure privileges are aligned

By ensuring the privileges of each employee are aligned to their specific roles and responsibilities, it becomes easier to prevent this creeping monster.

In the company’s employee lifecycle management policy, a comprehensive documented process should be included that clearly outlines the IT-related actions.

In case of any changes to roles, prompt notification should be made to the IT department for updating of the privileges and closure of redundant accounts.

How FolderSecurityViewer Can Help

The task of preventing privilege creep is delicate and demanding. If you try to manually sieve a big number of users’ privileges, it can consume a lot of your time and drain a lot of resources, besides the mistakes and oversights that can ensue.

Therefore, investing in an IAM system can greatly reduce the extensive costs of tackling the security vulnerabilities ensuing from privilege creep as well as misaligned or abused privileges.

For example, the FolderSecurityViewer is a powerful free tool you can use to see all the permissions accorded to users. After analyzing the permissions, you can clean them out, and reduce chances of privilege creep occurring.

First, you’ll need to download the tool from here.

After launching the tool, you’ll need to select the folder you need to review its permissions, and click the entry Permissions Report of the context menu for the magic to start.


You’ll then be provided with a comprehensive permissions report containing several things, including the names of users, department of users, and their respective allowed permissions.

If you want to get more information, you can click on the “Access Control List” button and see the various privilege rights accorded to users.

You can also export the permissions report in Excel, CSV, or HTML format, and make more analysis.

 After carrying out the access reviews using FolderSecurityViewer, you can audit identities and permissions to ensure role-based privileges are applied and excessive privileges are revoked.


The FolderSecurityViewer is a wonderful tool you can use to provide you with visibility into the permissions and access rights for your IT infrastructure. This way, you can easily prevent privilege creep and avert costly security breaches from occurring.

Windows Server 2016 and GDPR

“As the world continues to change and business requirements evolve, some things are consistent: a customer’s demand for security and privacy.”
Satya Nadella, Microsoft’s CEO

An important topic in European IT world these days is GDPR ( General Data Protection Regulation ).

A new European data and privacy protection law will be activated on May 25, 2018, referred to all citizens of EU with a purpose of protecting and enabling the privacy rights of individuals.

The GDPR regulates protection and enabling private data of any individual, no matter where data is sent, processed or stored.

The GDPR forms complex set of rules regarding any organization that offers goods or services to citizens of EU or collects and analyzes data regarding EU citizens in any form, no matter of the location of business included.

The Key Elements of the GDPR can be settled on three key points

  • Enhanced personal privacy rights
  • An increased duty of protecting personal data
  • Mandatory personal data breach reporting

Those points, in short lines, define protection of EU residents by granting access to their personal data, and rights to manage it in any way ( correct, erase or move ), awareness and responsibility of organisations that process personal data, and mandatory reporting of detected breaches to supervisory authorities, no later then 72 hours after detection.

How does the GDPR define personal and sensitive data, and how those definitions relate to data held by organizations?

Personal data, considered by GDPR, is any information related to an identified or identifiable natural person, direct identification (legal name etc.) indirect identification ( specific information that can identify you in data references), and online identifiers ( IP, mobile ID’s and location data).

The GDPR sets specific definitions for generic data ( an individual’s gene sequence) and biometric data. This type of data, along with other subcategories of personal data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership: data concerning health; or data concerning a person’s sex life or sexual orientation) are treated as personal data, and require individual’s acceptance where these data are to be processed.

In case of processing any sensitive or personal data on a physical or virtual server, the GDPR require implementation of technical and organizational security measures to protect personal data and processing systems from today’s security risks, like Ransomware attacks, or any type of cyberterrorism.

An additional type of problem occurs with Ransomware attacks regarding the GDPR estimated penalties, which make any company’s system that contains personal and sensitive data, potential-rich targets. Depending on the kind of infringement, there might be monetary penalties from 2% up to 4% of the total worldwide annual turnover, not less than 10 to 20 million Euro.

What does GDPR mean for Windows Server security and protection, and how does Windows Server supports GDPR compliance?

At Microsoft server 2016, security is placed on architectural principle, and it can be seen as four major points:

  • Protect – Focus and innovation on preventive measures
  • Detect – Monitoring tools with the purpose to spot abnormalities and respond to attacks faster
  • Respond – Usage of response and recovery technologies and experts
  • Isolate – Isolation of operating system components and data secrets, limited administrator privileges, and rigorously measured host health.

Those points implemented in Windows Server, greatly improve the defense of possible data breaches.

Key features within Windows Server are pointed to help user efficiently and effectively implement the security and privacy mechanisms the GDPR requires for compliance.

Windows Server 2016 helps block the common attack vectors used to gain illegal access to user systems: stolen credentials, malware, and a compromised virtualization fabric.

In addition to reducing business risk, the security components built into Windows Server 2016 help address compliance requirements for key government and industry security regulations.

These identities, operating system, and virtualization protections enable better protection of datacenter running Windows Server as a VM in any cloud, and limit the ability of attackers to compromise credentials, launch malware, and remain undetected. Likewise, when deployed as a Hyper-V host, Windows Server 2016 offers security assurance for virtualization environments through Shielded Virtual Machines and distributed firewall capabilities. With Windows Server 2016, the server operating system becomes an active participant in data center security.

The GDPR specifically regulates control over access to personal data, and system that process it, including administrator/privileged accounts. It defines privileged identities as any accounts that have elevated privileges, such as user accounts that are members of the Domain Administrators, Enterprise Administrators, local Administrators, or even Power Users groups.

Those kinds of accounts are protected from compromising with protecting guidelines, all organizations should implement:

  • Reasonable allocation of privileges – User should not have more privileges than needed for successful job completion.
  • Limit sign in time for privileged accounts to “strictly work-related operations”.
  • Social engineering research – In goal to prevent email phishing, and a possibility for the security breach, even though “harmless”, lower level accounts
  • Every account with unnecessary domain admin-level privileges increases exposure to attackers seeking to compromise credentials. To minimize the surface area for attack, it is recommended to provide only the specific set of rights that an admin needs to do the job – and only for the window of time needed to complete it. That way of administration is called Just Enough Administration and Just-in-Time Administration, and it is highly recommended,

Windows Server 2016 offers various types of prevention and protection tools and features, for various types of user accounts, such as

  • Microsoft Identity Manager 2016
  • Local Administration password solution
  • Windows Defender Credential Guard
  • Windows Defender Device Guard
  • Control Flow Guard

which cover the areas of protecting the user/admin credentials, trusted software-only installation, breach notification, and jump-oriented programming (JOP) defense.

It actively alerts administrators to potential breach attempts with enhanced security auditing that provides more detailed information, which can be used for faster attack detection and forensic analysis. It logs events from Control Flow Guard, Windows Defender Device Guard, and other security features in one location, making it easier for administrators to determine what systems may be at risk.

A newly introduced feature is Shielded VMs. They include a virtual TPM (Trusted Platform Module) device, which enables organizations to apply BitLocker Encryption to the virtual machines and ensure they run only on trusted hosts to help protect against compromised storage, network, and host administrators. Shielded VMs are created using Generation 2 VMs, which support Unified Extensible Firmware Interface (UEFI) firmware and have virtual TPM.

The GDPR can have a significant impact on any business that uses any type of personal data. it should be taken seriously, and implemented as soon as possible, no matter time, funds, or planning required.

Microsoft Active Directory Permissions: Best Practices for Data Protection

In this article, we are bringing the best practices for data protection in  The most famous directory service. Microsoft Active Directory Domain Services (AD DS).  

Microsoft Active Directory (AD) is a database that keeps track of all the “objects” in the system – users, computers, security groups, services, etc. In AD DS, at one central location, defining and updating all the rights a particular object has on the network. 

In short lines, the vital part of any Microsoft Server System with the recommended highest rate of security.  

So let’s start with tips and best practices for securing Microsoft Active Directory the best way possible.  

Least-Privilege User Access (LUA)  

The principle of least privilege (PoLP, also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose. (Wikipedia Definition) 

As part of those principles, the recommendation is the usage of LUA : 

LUA is the reverse of administrative privileges for all users, and then scaling back permissions as needed. It’s one of the best tips for keeping your network safe. 

The “hard way” of granting permissions to users. In some way, it is personalized per each user. It’s based to determine needs of all users on network and grant permissions for that needs, no more, no less. 

The process is not easy, it requires a lot of communication and takes a lot of time to configure the system that way. But in a long-term, your system will operate safely and as it should. 

There are variations of this plan, like creating “section groups” with different permissions then placing everyone from the section in it. But that is not personalized setup, and still can offer too much or too little to an individual user.  

Know Your Active Directory Security Model 

Microsoft Active Directory security model, keeps every object stored in an Active Directory, safe and protected. 

That includes domain user and computer accounts, security groups, and group policies. 

It can help administrator determining user access to any object, and gives the option to specify access for groups of users, as part of security management. 

Every single object in Microsoft Active Directory has a security descriptor associated with it. Security descriptor defines the permissions on an object. Of course, all these attributes include the permission set or Access Control. List (ACL), which contain numerous Access Control Entries (ACEs) which allows or denies specified security permissions to some user or security group. 

ACEs can be explicit or inherited; explicit ACEs generally override inherited ACEs. 

And this is just a tip of a Microsoft Active Directory Security Model iceberg. 

The security model is not an easy thing to learn or explain in a single article. Even some experienced administrators have a hard time understanding the full model. So it is advised to any system Administrator to make his/her personal goal gathering knowledge about it as much as possible. 

With a better understanding of it, it can provide better insight into system security functioning and better protection of your organization, and with that better productivity and quality of service. 

A lot more regarding Active Directory Security Model can be found at the following link: 

Keep Your Software Up To Date and Secure 

In May 2017, a lot of windows server based system got attacked by WannaCry ransomware worm attack. Even Microsoft has discovered a vulnerability and released a patch, a month before the attack took place, still, a lot of systems haven’t applied it, and got struck by a worm, which intruded system, encrypted data and demanded ransom for it in form of Bitcoin. 

The attack was stopped within a few days of its discovery due to emergency patches released by Microsoft, and the discovery of “kill switch” that prevented infected computers from spreading WannaCry further. 

The consequence of the attack was estimated to more than 200,000 affected computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars. 

Experts advise affected users against paying the ransom due to none reports of any data returned after payment and as high revenues would encourage more such attacks. After the attack had subsided, a total of 327 payments totaling $130,634.77 (51.62396539 XBT) had been transferred. 

As all examples, this one is a great opportunity to learn and adopt facts and previous errors so they would not be made again. 

This expensive and very real example shows the importance of software updating and applying official patches to your system software.  

Software without updates applied is unreliable software. Patch or update is made for a reason, and in most cases, it makes security better, and your system less liable for any type of attacks.

For that cases, Microsoft has great sites which can help administrators maintain their systems healthy and protected. It is highly recommended for all admins to monitor TechNet, and Microsoft Secure Blog, to keep up with system software, and security updates. 

It is not only up to administrators, but even their part of the job is also most important,  it is up to organizations to keep their hardware updated too. Even obsolete hardware can make the risk of security breaches high. So realizing that investing in hardware is not thrown money, but it is investing in security and functionality seems like the right way for all organizations. 

Usage of built-in Active Directory Features 

A lot of built-in Active Directory features can help administrators in protecting data and system environment.  None of them are “one program solves all” type of programs or some “big” lifesaving solutions, but correct usage of them can make a risk of potential security breaches lower. 

This is a list of some of the useful built-in features :  

Security Descriptor Propagator –  Compares the permissions on the domain object with the permissions on the domain’s protected user accounts and groups. If it finds any mismatch, it will reset the permissions. 

AdminSDHolder – Ensures enforcement of permissions on protected user accounts and groups, no matter of location on the domain. 

Privileged Identity Management – Allows the administrator to grant temporary rights and permissions to an account to perform any required functions. 

Role-based Access Control– Provides administrator the option of user grouping, and give them access to resources on the domain according to previously defined rules. 

Usage of Isolated workstations managing DCs 

If there is a need for logging on an Active Directory with an elevated account, because of any reason, these operations should always be performed from a special device, preconfigured to reduce the risks associated with everyday tasks.  

Such workstations should be isolated from the internet, and when used, they should be used with Least-Privilege User Access ( Lua) ( described before) principles. 

Those workstations should be completely protected by all kind of security software available. (anti-malware, endpoint firewall and application control). 

DC Workstations should be kept in their own organizational unit so they could have a special group policy set applied ( restricted local logons and other limitations). 

User accounts used on isolated workstations may be Service Desk accounts that have the ability to reset passwords for most of the users in a domain, accounts that are used to administer DNS records and zones, or accounts that are used for configuration management. Secure administrative hosts should be dedicated to administrative functionality, and they should not run software such as email applications, web browsers, or any type of productivity software. 


In conclusion, security of Microsoft Active Directory is huge, live, topic, and it can be studied and elaborated over and over. The best practices are, with a usage of described tools and techniques, only learning and monitoring, not only your systems but Microsoft news and updates regularly. 

It is a hard job, without long-term solutions. As systems develop and change, so are potential threats and malware, but being server administrator is like that, never-ending process. 



Prevent Unauthorized Access to Sensitive Data!

  • No more unauthorized access to sensitive data
  • No more unclear permission assignments
  • No more unsafe data
  • No more security leaks

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

Active Directory Design Guide

Companies use the Active Directory Domain Services (AD DS) in a server environment to make the work of network users less complicated and ensure resource sharing and management is secure, scalable, and all objects work as per their respective configurations. A well-designed AD DS can be used to manage the entire network infrastructure including the branch office and multiple forest environment. System Administrators should develop a habit of documenting all aspects of the domain structure and security strategies, as this becomes the new plan for future infrastructure and possible migration.  

The Basics of Active Directory Planning  

When planning for a domain, two things come into play: domain upgrading and domain restructuring. Upgrading your domain is more than just upgrading every domain controller; it involves the upgrading of both the Primary Domain Controller (PDC) and the Backup Domain Controller (BDC). Restructuring involves the creation of a new Active Directory from scratch. Restricting may lead to few but expanded domains. 

Develop a Migration Strategy

Having a migration strategy in place is an integral part of your overall design plan. Migration strategy involves studying the current or proposed configuration details and identifying which aspects of the domain will be migrated. A fall back system also has to be in place to counter any possible failure.  

Working with a Simple Design  

An Active Directory should be flexible in giving you an easy time when designing the forests. Designing a Domain for every department may look desirable in an organization but do not forget the general rule of running fewer but effective domains. An alternative to creating domains for every department is to use the Organizational Units, which are flexible and easy to manage.   

Active Directory Domain Design  

An Active Directory has four main divisions: the forests, the domain, the sites, and the organizational units. The system Administrators should maximize on the potential of these divisions to get the best out of any directory structure. 

When creating your domains, it is recommended that you use domain members who are near each other as possible. This is the best practice because the level of traffic within a domain is higher than you would expect between two different domains. Smaller domains also limit the need for investing in expensive connections to increase bandwidth. Remember to use the Organizational units to delegate Administrative privileges within an Active Directory. 

The Design of Groups and Organizational Units  

Before thinking of how the Groups and Organizational Units will work, System Administrators should know in advance the role of each group or units. The idea is to have a functional Organizational Unit and Groups in a bid to simplify the Active Directory environment. This goes a long way in simplifying management by giving you more control over the Active Directory. An active directory without a logical design of its users may lead to confusion. Here are some of the best practices when designing Organizational Units: 

  • Maintain a simple OU structure  
  • Limit OU nesting to less than 10 layers  
  • Apply Group Policy to groups via the Group Policy Filtering  
  • Do not utilize local groups for permissions in a domain environment 
  • Use local groups in the domain to control access to resources and group similar user groups. 

You can also use hidden OU to prevent viewing or altering in an environment where network application services are shared within departments and with external customers.  

Use Rules for Active Directory Sites  

Using Directory sites is an important element for any Active Directory domain. Sites can be limited to any computer object within a forest. Thus, they can be found across domains and organizational units. Sites are used to impose physical network to facilitate traffic flow. Sites also regulate traffic flowing to slower WAN links within the network; this will effectively increase productivity and serve to reduce costs on connectivity. 

The general good practice when designing sites  

  • Sites should be a reflection of the physical and geographical topology 
  • Every site should have at least one local Domain Controller 
  • Sites should be connected to faster links  
  • Remote clients do not need a dedicated site  
  • Sites are desirable when replication services are needed  
  • Sites can be added, changed, removed, without affecting network operations or configurations 

Active Directory Design Requirements  

Before the deployment of any Active Directory Services, the logical structure that reflects the working environment should be in place. The AD DS logical structure defines directory objects are organized and a method of managing individual accounts and shared resources. When planning for the logical structure, determine the number of forests, domain designs, the Domain Name System infrastructure, and Organizational Units. 

The Design of the Logical Structure should follow the following process 

  • Identification of the technical staff in charge of deployment  
  • Creation of the forest design  
  • Creation of the domain design for each forest  
  • Design a DNS infrastructure to support AD DS for every forest  
  • Design organizational units for delegating administrative tasks for every forest  
  1. Designing the Site Topology 

The site topology of the Active Directory network is a logical representation of the physical network. It has all the information about the AD DS location sites, the site of Domain Controllers, and the site links that support the AD DS replication taking place between sites.  

The site topology design goes through the following process 

  • Gather all network information  
  • Plan where to place the domain controllers  
  • Create the site design  
  • Create the link design  
  • Create the site link bridges

2. Planning for Domain Controller Capacity  

For an efficient output of the AD DS, System Administrators should determine the number of domain controllers for each site. Capacity planning for the domain controllers takes care of all the hardware requirements and avoids incidences of poor performance by the domain controllers 

The process of planning for the domain controller capacity planning involves: 

  • Collect site topology and design information  
  • Determine the number of domain controllers  
  • Create the site design  
  • Assess disk space and memory requirements  
  • Monitor domain controller performance  

Please note that some features can be added to the Domain design by raising the functional levels of the forests.  


The strategies presented in this guide apply in any server-operating environment. If you are not sure if your environment can meet the minimum system requirements, consult with other professionals on what needs to be done to deploy the AD DS. 


Want to have efficient and accurate reports about NTFS permissions on all your folders on your Windows Server Environment?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!