Permissions are a mess- advice for cleanup?
Walking into a new organization, permissions are a mess.
Over time, many many users have been given access to folders and files explicitely as needed instead of having established group policies for users to fall into. There are some groups, but for the most part- individually assigned permissions are all over the place.
Can anyone offer any advice as to how they would approach such a situation? This is one of the first tasks handed to me. I am left staring at about 400,000 lines of file/folder permissions, each associated account and its permissions in an excel spreadsheet.....
I assume the first step would be to establish which common files are needed by everyone within the department, and then go from there?
Oh, you poor devil.
Now that's out of the way, I've faced this problem in the past. There is no easy way to go about it, since rights-structures like these are typically accompanied with rather ad-hoc directory structures as well. Fixing the rights will require fixing the directory layout as well.
The biggest problems you'll face are going to be political. That pile of random directories represents the random organizational tics of a bunch of different people, and you're going to attempt to force a unified organizational method on it. This will break a bunch of other people's organization and that'll cause resentment, which will make acceptance of your changes harder to sell.
Step One: Figure out the organization
You're new there. You don't know how the organization fits together yet, or how it manifests in that pile of badly permissioned directories. Start asking questions of your coworkers, or the departments/people you're going to be reorganizing. Start making friends too, since you're going to need it.
Once you know who goes where, why, and what kind of data they stash...
Step Two: Draft an organizational method
Now that you have the intel, start building a new model for how to organize that volume. Keep aware of cross-communication between areas, since that'll impact where you put certain directories. Due to how NTFS rights work, it's best to keep such directories flat as possible.
\\server\share\functional-group\projects\projectdata
If you need to keep the top level directory small, you may need to make things like...
\\server\share\department\sub-group\projects\projectdata
Where public browse is set at the department level, but clamped down to just the working-groups at the sub-group level. It'll keep the top directory neater.
Creating groups for this kind of structure is fairly easy, but you do need input from those friends in step one to make sure you're making the right groups.
Step Three: Get Buy-in
Now that you have a plan, float it by those friends you made in step one. Does it work for them? What needs to change?
Revise as necessary. Go to step four only when everyone likes what they see. This may take some time.
Step Four: Implementation Plan
Start drafting an implementation plan. Start with a department or sub-group at a time to move their stuff around and re-permission it. Once you have the process of converting a group down, start hunting volunteers to go first.
And start working on the schedule for the rest too.
Step Five: Do it!
Do your first group! Work with the entity in question to make sure they're happy.
Step Six: Revise your Implementation Plan
Something probably went unexpected, so revise your plan.
Step Seven: Do it again
Now that you've revised start working through the rest of the departments and groups. You'll probably have to keep tweaking your plan, but that's the nature of these kinds of things.
It's a rather political process, but it can be done with the right legwork.