I've got a bit of a situation here with shared folder permissions, and it's getting pretty messy with a mix of group and direct access. I'm facing issues like nested groups, direct user permissions, and it's unclear who really needs access to what. We've already tried trimming down obvious excess permissions and documenting what we can, but it still feels chaotic and unreliable. I'm wondering if I should just rebuild the permissions from scratch to make it clean, or if it's better to clean things up gradually over time. Has anyone gone through something similar without causing major access issues?
4 Answers
I've been through this before and opted for a complete reset. I got rid of all nested groups and direct permissions, creating one Active Directory group for each top-level folder. For example, for a folder named 'Marketing', I used a group called 'XXX-Marketing' (with 'XXX' representing our site location). I set the group permissions on the top-level folders and never touched them again—only changed group memberships. Sure, some users pushed for special permissions deeper in the folder hierarchy, but I held the line and refused. This made everything easier to audit since group members are easy to track, and it’s been a breeze to maintain.
I get that—did you have much confrontation when you started enforcing these rules?
When it came to my last cleanup, I ended up using a hybrid approach. I started by notifying everyone that an old mapped drive was being retired and they needed to reach out if they needed any data from it. I then slowly migrated data over time, sent reminders, and ultimately deleted the old drive. This way, I had time to educate everyone on proper access management and avoid chaos. Sometimes users would come back months later asking about files, but it gave me a chance to reinforce the importance of keeping up with notifications from IT while also assuring them we had backups. It worked well in the long run!
Sounds like a solid strategy! I've tried that, and it makes for smoother transitions.
From my experience, a clean rebuild is definitely the way to go. Start fresh with clear processes for access requests and approvals, then clear all existing permissions. Make everyone request access again following your new process and stay disciplined about it. I had a similar experience with a sensitive SharePoint site where we ended up resetting all permissions and delegating access management to the department heads. It's been over five years, and the transparency and control have significantly improved since then!
Interesting approach! Did moving away from legacy systems actually help keep things cleaner long-term?
In my opinion, this all boils down to a policy issue. While firms may love the concept of Role-Based Access Control in theory, they often struggle in practice defining those roles. If you can't get a handle on the roles, you wind up in an endless cycle of defining, drifting, and redesigning permissions. It's a tough problem that can't solely be fixed on a technical level; it needs to start at a policy level.
This approach really works! I've maintained similar policies for years and it's simplified management immensely. It takes some grit to say no to managers pushing for special access, but trust me, it's worth it in the long run.