Cover image of an article about file server migration and file server cleanup.

Microsoft® Windows is to IT departments like air is to humans. Well, maybe not quite as dramatic, but you really couldn’t imagine one without the other. And using Windows inevitably means you’ll be dealing with permissions, too – and lots of them! Permissions in the Active Directory, permissions on file servers and permissions on NTFS shares. It’s permission heaven! Or permission hell? You’ll know when you’re up for your next compliance audit. That is the point when organizations often realize they have no clue who has what permissions and why.

Their angst-ridden quest for a quick solution then leads them to file server migration. The term “migration” suggests we can Marie-Kondo our way out of the chaos – declutter, chuck out what doesn’t “spark joy”, and move the permissions we want and need to keep to a clean and tidy environment. Problem solved!

But what if I told you, you don’t need a file server migration tool to reorganize your file servers? Read on to learn how you can keep your file servers clean and tidy using IAM software.

Contents (show)

File Server Migration – What’s That?

File server migration basically means relocating all your shared folders, files and security settings from your old file server to a new location, usually another file server. There are numerous reasons why companies decide to perform a file server migration.

One such reason could be that the old file server simply doesn’t provide enough space anymore for the growing amount of data. Some organizations want to replace their physical server with a virtual one. And ever since Microsoft’s proclaimed cloud-only approach, the term “file server migration” can also refer to the use of Azure files or moving to Azure.

What Is a File Server Migration Tool?

“File server migration tool” is not a defined term. It usually refers to services that aid companies in migrating, i.e. relocating, their file server contents. File server migration tools are mostly employed by larger organizations because, not only do these tools take care of the migration process itself, they also clean up the file servers as they go along.

This is important because, no matter how organized your file storage was to begin with – if you’re not applying AGDLP accurately and using consistent terminology, you will end up with a chaotic file server.

In short, file server migration tools remove incorrect permission structures and guarantee that companies can continue working in a clean and organized environment.

Where Does the Chaos on File Servers Originate From?

Microsoft® recommends using the AGDLP principle for managing file servers and to implement role-based access control (RBAC) in Windows Domains. Unfortunately, Microsoft® has failed to provide admins with adequate tools to automate the processes demanded by the principle.

The consequence is that admins are still having to implement AGDLP manually, which obviously makes mistakes more likely to happen. In smaller companies with fewer employees, it probably is feasible to do it all manually – provided your admin is really meticulous and uses consistent terminology.

Too Many Admins Spoil the File Server

The more admins you have, and the more locations and departments they’re having to look after, the more mistakes are inevitably going to happen. And with every year that passes since the initial file server set up, the more conjumbled the permissions on these file servers are going to become.

Another problem associated with manual access management are incorrect NTFS permissions. Common mistakes include:

  • Giving users direct access to folders instead of via group membership. If you do this and these users are later deleted from the AD, you’re going to be left with orphaned SIDs on the folder.

  • Using organizational groups as permission groups, which is detrimental to transparency and can also lead to orphaned SIDs.

  • Using permission groups more than once and/or nesting them gives users more rights than they need.

  • Failure to use names and terms consistently. Using incorrect or misleading names for permission groups make it harder to understand connections between folders and groups.

  • Setting list rights incorrectly or not using them at all. The consequence is that users either cannot access the folders they do have permission for, or they can access folders they are not supposed to be able to access.

Bad Structures Lead to Privilege Creep

Uncontrolled file server growth, ignored naming conventions and wrongly used and/or nested permission groups are not just detrimental to transparency, they also put your data at risk. One such risk is a so-called privilege creep, which is when users collect more privileges over time than they should.

The privilege creep is further exacerbated in companies that use reference users (or template users): this is when a new person joins the company and the admin, instead of creating an entirely new user with all the necessary Active Directory privileges for that person, simply copies an existing user (who then becomes the reference or template user) belonging to a person with a similar job description.

If the reference user already has excess privileges (e.g. due to nested permission groups), these will be passed on to the new user.

Remember: the more you rely on reference users, the more you are putting your data and company at risk!


Incorrect Privileges Make It Harder to Protect Data

A privilege creep is bad for internal data protection, of course. If nobody can keep track of who has access to what resources and data, the risk of internal data theft or misuse rises significantly.

But a privilege creep also makes it harder to protect data against outside attacks. The more privileges users have, the worse the effects of malware or ransomware attacks and phishing mails can be.

IMPORTANT! Organizations suffering from chaotic file servers cannot fall back on cyber insurance as a means to protect themselves against hacker attacks!


This is because cyber insurance providers require you to prove you have some kind of IT security concept in place, including the regulation of access to resources.

Clean Up File Server, Close Security Holes

You don’t need a file server migration tool to tidy the structures on your file server and close potential security holes. What you do need is software that automates file server access management in accordance with best practices.

Of course, you can try to clean up your file server manually or get it serviced and have the correct structures set up for you. However, you will probably be facing the exact same problems within a year or maybe two, at best.

Your best option is therefore to FIRST choose a product that automates access management and THEN adapt the old structures (if still needed). This way, you can ensure that:

  • new access rights are only assigned according the principle of least privilege and compliance demands.

  • uncontrolled file server growth is prevented.

  • your recently cleansed structures can migrate smoothly to the new software.

  • that no (supposedly) more urgent projects and/or budget issues delay the deployment of the new software/tool, making the transition more difficult and possibly exposing new security vulnerabilities.


File Server Cleanup With tenfold

tenfold is identity and access management software that guarantees automated and compliant management of access rights, both on premises and in the cloud. That means tenfold manages permissions not just on file servers, but also permissions in Active Directory, Azure AD, Exchange (Online) and Sharepoint (Online).

tenfold thus makes manual access management obsolete and brings order to your file servers. Once set up, admins and users only have to configure the desired permission level and tenfold takes care of implementing the AGDLP principle in the domain correctly and automatically.

Reporting on Status Quo and Effective Permissions

The current state of your file server – be it messy, ultra messy or pure mayhem – has no influence on the deployment of tenfold. Once installed, tenfold will automatically assign new access rights in accordance with best practices. Additionally, the reporting feature will inform you of the current access structure and effective permissions on you file server.

The tenfold dashboard highlights existing problems on your file server and Active Directory and can automatically fix many common issues, such as empty AD groups, broken up inheritance or directories with directly privileged users.

While tenfold cannot fix long-standing problems with your file server all by itself, it will assist you in gradually smoothing out these issues once installed. For instance, by submitting all non-standard permissions to regular user access reviews by the relevant data owner, outdated and unnecessary permissions are automatically removed once they fail the recertification process.

In case the old structures are too complex and/or you don’t have the time to clean them up manually using tenfold’s reports, there is an add-on available you can use to help you with the file server cleanup or file server migration.

tenfold as File Server Migration Tool

File server cleanup or file server migration can be achieved using an add-on that can be licensed in addition to tenfold. tenfold can generate hundreds of permission groups and list permissions in the Active Directory for thousands of users across numerous directories. These are then linked and the ACLs rebuilt accordingly.

The file server migration tool analyzes your current folder and permission structure and produces reports on any problems (e.g. overly complex directory structures, incorrect permissions, orphaned AD objects or recursive group memberships). It then eliminates these problems and cleans up the structures.

Cover image for an article about file server migration. IT admin showing both middle fingers to code on screen.

File Server Migration

If you install tenfold plus add-ons, not only can you rebuild your authorization structure, but, if required, the software will also take care of file server migration.

What Are the Steps in File Server Migration/Cleanup With tenfold?

  1. License tenfold plus file server migration add-on
  2. Install and configure software
  3. Add-on analyzes current structures, produces reports and tidies old structures.
  4. tenfold establishes a compliant permission structure across all levels.
  5. You can now migrate your file servers with neat structures and automated permission management.

Why Use tenfold for File Server Migration?

tenfold access management is specifically geared toward mid-market organizations. Our approach is pragmatic. We translate complex matter into user-friendly matter. Our aim is to ensure that ALL tenfold users between IT and HR can use our product efficiently and with ease.

File server management with tenfold enables you to stay in line with internal and external compliance regulations, such as the GDPR, HIPAA and SOX.

White Paper: File Server Migration
as Part of the tenfold Installation

Learn How to Bring Order to Your File Servers in Four Simple Steps

Download now

White Paper: File Server Migration
as Part of the tenfold Installation

Learn How to Bring Order to Your File Servers in Four Simple Steps

Download now