Christoph Schulze Avatar

Fileserver Migration or Permission Optimization – Best Practice

Almost every company uses fileservers to make data available to employees. Over the years, the amount of data grows continuously. 
At the same time, the permissions on the individual folder structures are constantly changing. 

New employees are given permissions, in the best case obsolete permissions are revoked again or cross-departmental access must be ensured. The requirements for the fileserver, including its permissions, are sometimes extremely complex. Therefore, it is even more important to follow a clear authorization concept. 

In this article, we provide an overview of how to migrate your fileserver or simply optimize the permissions within the folder structures. 

Fileserver Migration Paths - Options

If you are faced with the challenge of having to migrate your fileservices between two storage systems or fileservers (e.g., when replacing an old fileserver with a new fileserver), or if you want to optimize your historically grown permissions in the course of the German Data Protection Act (DSGVO) requirements and adapt them to current best practices, you need a clear plan of procedure. 

There are several ways to optimize or move the fileserver without disrupting the users’ work. 

Migration to a New Fileserver

When moving to a new file server or to a new fileshare on the same fileserver or storage system, you have the best conditions to ensure a smooth optimization of permissions. 

The folder structures are set up quickly and efficiently in a new, empty fileshare and provided with optimized permissions assigned according to best practice. The entire process can be implemented in a short period of time, since the assignment of permissions in empty folder structures is many times faster than is possible in full folder structures.

Optimization of the Permissions of a Fileshare

If one wants to optimize one’s permissions within a folder structure without introducing a new fileserver or storage system, the migration path described above is not identically applicable. It may also be that one does not have the means to temporarily duplicate storage requirements for the optimization of permissions. 

When optimizing within an existing fileshare, there are some challenges to overcome to ensure user access continues during this period. Current existing permissions may not simply be swapped out for new permissions. 
According to the best practices of permission assignment in the NTFS file system, permissions should always be implemented via groups. However, a newly created group only takes effect for the user after he has logged on to his client and the Active Directory. Therefore, the migration path must be slightly adjusted for such scenarios. 

Phases of a Fileserver Migration

The optimization of permissions or the migration to a new fileserver or a new storage system can be divided into different phases. It is important to have a concrete plan for the procedure and to think through all the steps in advance.

Overview of the individual phases of a fileserver migration or permission optimization

Analysis of existing Folders and NTFS Permissions

For the analysis, the fileshares to be migrated must be checked and evaluated, including their permissions. For this purpose, all information should be written to a Csv file, for example. It is important to know which accounts have access to which folder levels, what the status of inheritance is, or whether the permission is granted or denied. 

Usually, various optimization potentials are uncovered during the analysis:

  • How deep are the explicit permissions assigned? 
  • Where are there multiple permissions (group or user accounts that are explicitly granted) on subfolders again and again in a hierarchy?
  • Where are there inherited permissions (permissions for which the group or user account no longer exists)? 
  • Where are there inheritance breaks and are they even necessary?

Modeling of the New Permissions - Structure of the Permission Concept

In the modeling or conceptual design phase, the read-in permissions are evaluated and checked for relevance. Optimization potentials are implemented directly and are immediately incorporated into the preparation of the new permissions. It makes sense to modify the .csv file created during the analysis file so that it can be used for the roll-out of the new permissions. 

You should consider beforehand whether you want to keep the folder structures as they are and only modify the permissions, or whether you also want to change and modernize the structures. If you only optimize the permissions technically, the user does not have to be directly involved. Obvious incorrect permissions are only removed. However, if the folder structure is also to be modified, the data owner or the user must be involved.

It is not recommended to simply adapt and change the folder structures, as this will significantly reduce user acceptance. 

The following steps are necessary during the modeling phase:

  • The new permission structure or the new permission concept is set up.
  • The permissions required for the individual folders are modeled in a .csv file, for example. 
  • The explicit permissions on the individual folder (e.g. “Read & Execute” and “Modify”) are defined.

Roll-out of the New Permissions and Permission Groups

Roll-out – During roll-out, the newly required permission groups are created using Microsoft Best Practice for Fileservers in Active Directory and assigned the correct members. 
When migrating to a new fileserver or fileshare, the folders that will contain explicit permissions are created and the created permission groups are granted permission on those folders. However, if you want to optimize permissions within the hierarchy and are not migrating to a new fileshare, the folders do not need to be created.
The new permission groups are added in addition to the old permissions. This ensures that the users’ accesses continue to work should the newly created groups not yet take effect through a new logon to the system. 

When migrating between two systems, the data must be transferred from the old to the new system. It is recommended to use Robocopy for these copy jobs, because you can control the behavior of the permissions during the copy process very well and the copy performance is almost unmatched. It is important to run these copy jobs regularly. This way, all data that is not currently accessible is already transferred to the new fileshare. This can save a lot of time during the going live phase. 

It is recommended to proceed as follows during the roll-out:

  • The new permission groups are automatically created in Active Directory and assigned the correct members. 
  • The folder structure is automatically created within a new, empty fileshare (only when moving to a new fileserver or storage system).
  • The permission groups are automatically granted permission on the correct permission folders.
  • For the data transfer between the actual and target structure, the copy jobs must be created and executed regularly. 
    (only when moving to a new fileserver or storage system). 
  • A date for the final going live must be planned.

Going live of the New Permissions Concept

Going live – When going live, there are again differences depending on whether the migration is to a new fileserver or the permissions within a fileshare are optimized. For the first case more activities have to be performed, the second case usually takes much longer.

When migrating between two systems, another delta copy of the data must be made. It must also be ensured that the users can access the new folder paths, which usually change in the process.

If you optimize the permissions in the same fileshare, the old permissions must be removed from the folders during going live – as a final step.  
This is the only way to ensure that a consistent permission concept is maintained throughout.

The following steps are recommended for going live and must be followed:

  • It must be ensured that no user has write access to the data during the last delta copy of the data (only when moving to a new fileserver or storage system).
  • Login scripts, GPOs or DFS links must be adapted (only when moving to a new fileserver or storage system).
  • Links within applications that address the fileshares must be adjusted (only when moving to a new fileserver or storage system).
  • Links within files (e.g. link to an Excel file within a Word file) must be adjusted (only when moving to a new fileserver or storage system).
  • Fileserver backups must be adjusted (only when moving to a new fileserver or storage system).
  • The old permissions must be removed from the folder structures so that only the new permission groups are included.

To clean up your permissions or migrate fileshares between two systems, we always recommend setting up the permissions in a new, empty target share. The time required for this procedure is less, it is considerably less error-prone and you always have the option of the old folder structure as a case back.

If this procedure cannot be implemented due to technical limitations, the optimization of the permissions should be planned particularly meticulously.

Christoph Schulze Avatar

About the Author

Christoph Schulze is a Senior Consultant at permSECURE. He has been designing and supporting file server projects and helping customers to optimise their authorisation concepts since 2011.

Related Articles