File servers will be accessed remotely, not just by users as they connect to shared folders, but also by support personnel who need to perform tasks such as creating, removing, and securing folders.

Too often, we see a data volume on a file server with top-level folders acting as shares for users.
But what happens if support people need to modify permissions on one of those top-level shared folders? They cannot. When you connect to a shared folder remotely, you cannot change its NTFS permissions. You can change permissions only on folders within the shared folder.

To change the NTFS permissions of the shared folder, you must either use MMC snapins or open the folder’s Properties dialog box with Windows Explorer. Typically, the latter approach is desirable.

But that means the support people are either connecting to the server with Remote Desktop (which might not be desirable given the two-connection limit of Remote Desktop Protocol [RDP] used for remote administration) or connecting to the hidden administrative share of the server (which means they are in the Administrators group on the server, which means it’s likely they have more rights than they really need). Personnel who support shared folders are not necessarily (or should not necessarily be) administrators of the server, so they will not always be able to connect to the server using its hidden drive share. Therefore, you should create a folder on the server’s data volume that will host shared folders, and you should secure that folder so that users and support personnel can perform tasks required for first-level folders within that root. We’ll call such folders root data folders.

For example: If two servers will host shared folders for projects and teams on their E:\ drive, create a folder on each server named E:\Data. Support personnel require the ability to create a top-level folder for a new project or team: Assign the Create Folders ACE to an appropriate group. The Create Folders permission is shown in Figure


Create additional root data folders if one the types of data stored in shared folders mandates delegation to unique support teams. If three different IT support teams are responsible for administering subfolders, create three different root data folders with ACLs that enable the functionality required by each team.

Wherever possible, keep data volumes and root-level data folders consistent on file servers. This approach enables you to more effectively manage security on those folders.