Everyone has access to everything on the file server and no-one knows why anymore.
Permission creep happens because groups got expanded for years and rarely cleaned. The fix is not locking everything down in a single weekend, but restoring a group model and rebalancing step by step.
Try this first
- 1Run a report with AccessChk or a tool like FileAuditor: which shares have Domain Users, Authenticated Users or Everyone in their ACL?
- 2Define a role-based model: a security group per department or project, no more loose user permissions on folders.
- 3Work top-down: parent folders get only the department group, sub-folders only where it must differ. Avoid deep ACL pyramids.
- 4Plan an audit window per department with the team lead: who belongs here, who left, and what the exceptions are.
- 5Enable Access-Based Enumeration so users no longer see folders they cannot enter, which kills support questions.
When to bring us in
With hundreds of thousands of files or complex history a tool like Varonis or Netwrix pays off. That gets expensive fast, so first see if hygiene can be repaired with Microsoft-native means.
See also
- One DC or two DCs for an SMB office?Two is almost always the right answer; one DC is a single point of failure for logon, DNS and GPOs.
- Should I split FSMO roles across two DCs?For a small domain all on one DC is fine; with two DCs splitting is tidier but not required.
- How do I know my AD replication is healthy?Replication errors creep in silently; they only surface when logins or GPOs misbehave.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.