November 2010 IT Business Consulting Newsletter

Simplify Data Organization and User Management... with Active Directory!

By Tom K

* Can your staff easily get to and share the data that they need to do their jobs?

* Is that data available only to those that need it?

* Are you sure that your financials are locked down?

* Can you give new or reassigned staff immediate access to the data and resources that they need, with no effort?

I used to be surprised when I’d do a systems audit and find little-to-no organizational structure or segmented security being applied to stored data, but I’ve found this to be pretty common. So…

This month’s article shows you how to use Active Directory (AD) to organize your data for easy accessibility for the staff that need access, while preventing access to others. We also show you how to manage your Users with AD to easily provide them with access to the data and resources that they need, and easily alter their access as they change roles within your enterprise.

It’s Just a Bunch of Electronic File Cabinets

Think of your data server as a room full of standard 4 drawer file cabinets. A half dozen might hold common data used by everyone in the company (Company Data), a couple might hold data specific to the Maintenance department, a couple might hold data specific to Marketing, and a couple might hold Accounting department data. Since everyone needs access to Company Data, these cabinets aren’t locked. The departmental file cabinets, however, are private, locked, and since the departmental staff shares this data, departmental staff and only departmental staff have the keys. The department manager “owns” her file cabinets, and organizes the folders to best suit her department.

We use Active Directory (AD) to replicate this file cabinet structure into your server. AD is a tool included in Windows networks to provide structure and security to “objects” in the directory. The list of objects that can be managed is huge, but for this discussion we are most concerned with Data Folders, Files, Users, User Groups, and shared resources like Printers.

Create Your Data Structure

The first step is to logically segment your data based on who needs access to it. This is usually done quite simply by breaking out your functional departments. A typical Property Mgmt & Sales organization might contain the following:

  • Company (everybody)
  • Administrative
  • Accounting
  • Executive
  • Housekeeping
  • Maintenance
  • Management
  • Marketing
  • Reservations
  • Sales

Once you have created the department list that reflects your business, create a folder on the server named for each department and have the department manager devise an internal folder structure that works for her department. We don’t care what the internal structure of a departmental folder looks like, as it is whatever the manager/owner needs it to be. Once the internal structure has been developed, the structure can be populated with departmental data.

Create Your User Group Structure

This step is pretty easy, as most of the work was just done. We typically create User Groups to match your business departments, using the list you created above. Once this has been done, we may create a few specialty Groups that don’t correlate to a Department, if needed for Business functionality or special workflows.

Add Users to Groups

This step is also pretty easy, as Group membership will mostly correlate to Department membership. Note it is very usual for one person to be a member of multiple Groups. For instance, the Reservations Manager might be a member of Reservations and Management, the Property Manager might be a member of Reservations, Maintenance, and Management, and the business owner might be a member of all Groups.

Apply Access Permissions to the File Structure

Now it gets meaty! We need to “share” the Department folders so they are available on the network. Once shared, we assign “permissions” to the shared folder, which will determine who can access it, and what they can do once they do access it. It is possible (and not unusual) to provide differing levels of access (read only, edit, delete, etc) to different Users through folder permissions. But, overdoing this can make your logical structure overly complex, so use caution.

Think GROUPS When Assigning Permissions!

ALWAYS assign permissions to GROUPS, never to individual Users, if you want to maintain your sanity! Even if you need to create a Group with a single member! It is much easier to associate functionality to Groups rather than individuals when designing who gets access to what.

The departmental folders are pretty easy to assign – the department Group usually gets full permissions to their folder and all its contents. Then, depending on workflow and business process, other Groups may get access ranging from read to full. It all depends on who needs access to what. If your Reservation staff needs full access to the Maintenance folder, just assign the permission to the Reservation Group. If only the Reservation Manager needs access to the Maintenance folder, make her a member of the Maintenance Group.

Specialty shared folders might require a bit more thought. The system is very flexible, so try to design for functional complexity, but logical simplicity.

Note that one of the greatest benefits to this whole structure we’ve been building is this… Once the Folders are in place with permissions assigned to Groups, to add a new User or re-deploy an existing User, you simply reassign his Group memberships and he automatically (and immediately) gains access to all the resources and data that this functional position requires… in minutes!

Apply Access Permissions to Resources

Now that you know the logic behind applying Group permissions to folder objects, it should not be a stretch to consider doing the same with any other AD object, for instance that very expensive $0.10/page color laser printer. Since your Groups have already been created and populated, it is a simple matter to, for instance, grant access to that printer only to the Marketing Group and the Management Group. And the new Designer gets access to the printer as soon as she is assigned to the Marketing Group!

Cautions and Pitfalls

As mentioned above, always use Groups to assign permissions to folders, resources, and other objects. I can’t stress this enough! It keeps everything much simpler & makes managing everything a breeze (rather than a nightmare).

Avoid changing permissions on individual folders within a folder tree, or changing the permissions on a folder branch within a folder tree. You WILL lose track of the non-standard folders and, at some time in the future, it WILL mess you up! If you do need to have different permission schemes on folders within a department folder, place the non-standard folders at the root level of the main Department folder.

Be wary of Nested Shares. This occurs any time there is a shared folder inside another shared folder, usually several levels deep, where it is not apparent. Some admins will do this as another mechanism to change permissions inside the folder structure, but it is as problematic as noted above.

As always, if you have any questions or comments concerning this article, I’d be happy to discuss them with you at your convenience. Feel free to contact me at, or via my cell 443.310.5110.

During this article we often mention Functional Roles and Functional Departments. As today’s organizations become more efficient, leaner, and more flexible, the old static Organization Chart’s value has diminished. Group assignments can become quite tricky as Users’ functional roles cross these static borders. Next month’s newsletter will discuss using the concepts of functional roles to rethink classifying, utilizing, and optimizing your most important resource, your talented staff. See "Think “Functional Roles” when Allocating Staff and Resources!"