+49 30 3642803 0 | info@permsecure.com​

File Server Migration or Permission Optimization – Best Practice

permSECURE - Filemigration

Almost every company uses file servers to make data available to employees. Over the years, the amount of data grows continuously. 
At the same time, the permissions on the individual folder structures are constantly changing. 

New employees are given permissions, in the best case obsolete permissions are revoked again or cross-departmental access must be ensured. The requirements for the file server, including its permissions, are sometimes extremely complex. Therefore, it is even more important to follow a clear authorization concept. 

In this article, we provide an overview of how to migrate your file server or simply optimize the permissions within the folder structures. 


File Server Migration Paths - Options

If you are faced with the challenge of having to migrate your file services between two storage systems or file servers (e.g., when replacing an old file server with a new file server), or if you want to optimize your historically grown permissions in the course of the German Data Protection Act (DSGVO) requirements and adapt them to current best practices, you need a clear plan of procedure. 

There are several ways to optimize or move the file server without disrupting the users’ work. 

permSECURE - Shouting Man

Download our Whitepaper!

Deepen your knowledge with our whitepaper on NTFS Best Practices.

Migration to a New File Server

When moving to a new file server or to a new file share on the same file server or storage system, you have the best conditions to ensure a smooth optimization of permissions. 

The folder structures are set up quickly and efficiently in a new, empty file share and provided with optimized permissions assigned according to best practice. The entire process can be implemented in a short period of time, since the assignment of permissions in empty folder structures is many times faster than is possible in full folder structures.

Optimization of the Permissions of a File Share

If one wants to optimize one’s permissions within a folder structure without introducing a new file server or storage system, the migration path described above is not identically applicable. It may also be that one does not have the means to temporarily duplicate storage requirements for the optimization of permissions. 

When optimizing within an existing file share, there are some challenges to overcome to ensure user access continues during this period. Current existing permissions may not simply be swapped out for new permissions. 
According to the best practices of permission assignment in the NTFS file system, permissions should always be implemented via groups. However, a newly created group only takes effect for the user after he has logged on to his client and the Active Directory. Therefore, the migration path must be slightly adjusted for such scenarios. 

Phases of a File Server Migration

The optimization of permissions or the migration to a new file server or a new storage system can be divided into different phases. It is important to have a concrete plan for the procedure and to think through all the steps in advance.

permSECURE - Migrationsphasen
Overview of the individual phases of a file server migration or permission optimization

Analysis of existing Folders and NTFS Permissions

For the analysis, the file shares to be migrated must be checked and evaluated, including their permissions. For this purpose, all information should be written to a Csv file, for example. It is important to know which accounts have access to which folder levels, what the status of inheritance is, or whether the permission is granted or denied. 

Usually, various optimization potentials are uncovered during the analysis:

  • How deep are the explicit permissions assigned? 
  • Where are there multiple permissions (group or user accounts that are explicitly granted) on subfolders again and again in a hierarchy?
  • Where are there inherited permissions (permissions for which the group or user account no longer exists)? 
  • Where are there inheritance breaks and are they even necessary?

Modeling of the New Permissions - Structure of the Permission Concept

In the modeling or conceptual design phase, the read-in permissions are evaluated and checked for relevance. Optimization potentials are implemented directly and are immediately incorporated into the preparation of the new permissions. It makes sense to modify the .csv file created during the analysis file so that it can be used for the roll-out of the new permissions. 

You should consider beforehand whether you want to keep the folder structures as they are and only modify the permissions, or whether you also want to change and modernize the structures. If you only optimize the permissions technically, the user does not have to be directly involved. Obvious incorrect permissions are only removed. However, if the folder structure is also to be modified, the data owner or the user must be involved.
It is not recommended to simply adapt and change the folder structures, as this will significantly reduce user acceptance. 

The following steps are necessary during the modeling phase:

  • The new permission structure or the new permission concept is set up.
  • The permissions required for the individual folders are modeled in a .csv file, for example. 
  • The explicit permissions on the individual folder (e.g. “Read & Execute” and “Modify”) are defined.

Roll-out of the New Permissions and Permission Groups

Roll-out – During roll-out, the newly required permission groups are created using Microsoft Best Practice for File Servers in Active Directory and assigned the correct members. 
When migrating to a new file server or file share, the folders that will contain explicit permissions are created and the created permission groups are granted permission on those folders. However, if you want to optimize permissions within the hierarchy and are not migrating to a new file share, the folders do not need to be created.
The new permission groups are added in addition to the old permissions. This ensures that the users’ accesses continue to work should the newly created groups not yet take effect through a new logon to the system. 

When migrating between two systems, the data must be transferred from the old to the new system. It is recommended to use Robocopy for these copy jobs, because you can control the behavior of the permissions during the copy process very well and the copy performance is almost unmatched. It is important to run these copy jobs regularly. This way, all data that is not currently accessible is already transferred to the new file share. This can save a lot of time during the going live phase. 

It is recommended to proceed as follows during the roll-out:

  • The new permission groups are automatically created in Active Directory and assigned the correct members. 
  • The folder structure is automatically created within a new, empty file share (only when moving to a new file server or storage system).
  • The permission groups are automatically granted permission on the correct permission folders.
  • For the data transfer between the actual and target structure, the copy jobs must be created and executed regularly. 
    (only when moving to a new file server or storage system). 
  • A date for the final going live must be planned.

Going live of the New Permissions Concept

Going live – When going live, there are again differences depending on whether the migration is to a new file server or the permissions within a file share are optimized. For the first case more activities have to be performed, the second case usually takes much longer.

When migrating between two systems, another delta copy of the data must be made. It must also be ensured that the users can access the new folder paths, which usually change in the process.

If you optimize the permissions in the same file share, the old permissions must be removed from the folders during going live – as a final step.  
This is the only way to ensure that a consistent permission concept is maintained throughout.

The following steps are recommended for going live and must be followed:

  • It must be ensured that no user has write access to the data during the last delta copy of the data (only when moving to a new file server or storage system).
  • Login scripts, GPOs or DFS links must be adapted (only when moving to a new file server or storage system).
  • Links within applications that address the file shares must be adjusted (only when moving to a new file server or storage system).
  • Links within files (e.g. link to an Excel file within a Word file) must be adjusted (only when moving to a new file server or storage system).
  • File server backups must be adjusted (only when moving to a new file server or storage system).
  • The old permissions must be removed from the folder structures so that only the new permission groups are included.

Are you looking for professional advice?

Do you need support in optimizing your file servers? Feel free to contact us!

permSECURE - Shouting Woman

Best Practice – What Procedure is recommended?

To clean up your permissions or migrate file shares between two systems, we always recommend setting up the permissions in a new, empty target share. The time required for this procedure is less, it is considerably less error-prone and you always have the option of the old folder structure as a case back.

If this procedure cannot be implemented due to technical limitations, the optimization of the permissions should be planned particularly meticulously.

About the Author:

Picture of Christoph Schulze
Christoph Schulze is Senior Consultant at permSECURE. Since 2013 he has been designing and supporting file server projects and helping customers to optimize their permission concepts.