Although a file server is one of the most basic services in the server room,
I've been surprised at how disorganized many organizations' file servers are.
After helping several companies reorganize their file servers, I decided to
share some of the common problems that I've seen and introduce you to some ways
to fix them by using Windows 2003 built-in features, free add-ons, or new business
processes. Come on—let's get organized!
Scattered Data
One company I worked with had fewer than 100 employees but had eight file servers
and hundreds of shares. The administrator had a hard time finding the files
he needed, and users' desktops were a sea of shortcuts. For this company, consolidating
servers and shares onto one large file server made sense. Depending on the service
level agreement (SLA) that your IT department has, you might want to consider
a cluster or other technology to reduce the risk of putting all of your eggs
in one basket. Regardless of your choice, the important thing is to keep your
file server structure as easy as possible for users.
For companies that have data scattered all over creation, I recommend a complete
reorganization. This option isn't as difficult as it sounds if you carefully
plan and communicate well with the rest of the organization. You can gauge the
level of file server organization by learning how content or frustrated users
are. If the problem isn't that bad (i.e., users can generally get to the information
they need), then a simple housecleaning might be in order. Regardless of the
scope of your reorganization, I can't over-emphasize the importance of ensuring
that the cleanup is a company objective and not just an IT project. You need
the support of your company's decision makers.
My ideal file server has just one share that contains multiple parent subfolders.
This structure is clean, simple, and provides one-stop shopping for users. Every
company is different, but the structure typically looks something like the example
that Figure 1 shows. As you can see,
the file server has an appropriate name, the share describes the file server's
contents, and the subfolders are logically laid out. What about the subfolders
that are in the parent folders? Each department should organize its own folders,
but you can provide some guidance. I typically ask users leading questions such
as the following:
- Do you have any sub-departments or teams? If so, you might create subfolders
to further segregate the data. A large IT department might create subfolders
such as Infrastructure, Development, Project Management, and Quality Assurance.
- Is your work separated geographically, or do you all work together? If multiple
locations daily share data, it wouldn't make sense to create Seattle, Portland,
and New York subfolders for each location. If the business divisions work
independently, a single folder wouldn't be efficient. This example shows why
this project can't be just an IT project; the business needs to own the plan.
- Does your department include different levels of security access? Securing
individual files is time-consuming and leads to mistakes. These "one-offs"
are easy to forget about, and the security is easy to overwrite if security
settings are pushed down from the parent folder to the files. If the department
has security boundaries, help department members create their subfolders to
mirror those boundaries.
- If you had to print out all of this data, how would you organize it in a
filing cabinet? This question helps users stop thinking about data as bits
on a screen and start thinking in terms of documents. Help users organize
the file structure as they would organize manila folders in metal drawers.
Once you've set up and secured a basic file-server structure, each department
can start to move its data to the new structure. (We'll cover more information
about security permissions in a moment.) Be sure to teach users the difference
between moving and copying. Moving the data provides a clean break from the
old way of storing documents and lets users handle their own data. A good practice
is to give users a "due date" when all of the files must be moved.
"Simplify Your Life: Role-Based Security
Now that you have a fresh folder structure, you need a simple way to secure
it. In every company that I've consulted with, I've found at least one user
account in the Security tab of a file or folder. These rogue accounts typically
appear because an administrator or Help desk technician was in a hurry and wanted
to close a trouble ticket quickly. Unfortunately, this practice can cause headaches
down the road if the user you've given special privileges to changes departments.
For example, one company I worked with regularly moves its temporary accounting
help to a full-time position on the operations floor. If a user has permissions
to access accounting files and moves to a new position, it can be a real challenge
to find all of the places that user had permissions. Finding the permissions
is so difficult that often the user would transfer to a new position with the
old accounting permissions still intact.
In such a case, the answer is to use security groups. Groups have been around
since the early days of LAN Manager. Although most organizations have security
groups, many aren't using groups to their full potential. In my consulting work,
I typically call security groups "roles." When combined with official roles
in the company, security groups are a powerful security solution. So instead
of using obscure security group names that only IT understands, roles let managers
control the data their employees can access. Imagine a list of security group
roles for the accounting department that looks like this:
- Role Accounting VP
- Role Accounting Manager
- Role Accounting AP
- Role Accounting AR
- Role Accounting Temp
- Role Accounting All
Only these roles have access to your new folder structure. Now when a new accounting
employee is hired, it's easy for the manager to explain to the Help desk exactly
what security groups the user should belong to.
When you add roles to the security of the folder, you can use the naming convention
I show above and the additions will be a snap. Find the folder for which you
want to configure security. Right-click the folder, and choose Properties. Click
the Security tab and click Add. Type the word Role in the Enter the object
names to select field, as Figure 2
shows, and you'll get a list of the roles that are in your Active Directory
(AD).
Previous
Register
