Skip to content
3 min read

Client case: platform for an accounting firm

Deploying and operating a secure file platform for an accounting firm, from the audit of the existing setup to the permission model.

ReliableMaintainableSecurePrivate

Context / need

An accounting firm grows from two to five or six people. The file server in place is about ten years old and was configured for the original team: a single Windows account shared by everyone, so the same access to every folder for each person, no traceability, and a “backup” that amounts to a copy on the same single disk. Hiring makes the issue urgent: individual accounts, role-differentiated permissions, a real backup, and protection against power outages.

Constraints

Options considered

Decision & why

A Synology DS225+ NAS, two mirrored 4 TB disks (SHR), protected by a UPS (APC Back-UPS 950VA). The installation starts with an audit of the existing network: identify the subnets behind the firm’s firewall and choose where to connect the NAS so every workstation can reach it.

The access model is the core of the project:

Accepted tradeoff

Consumer-grade hardware, at the scale of a small firm: no high availability. If the unit dies, the way out is the documented restore. Accepted compromise: at this scale, robustness comes from the disk mirror, the UPS, the tiered backups and a maintained restore runbook, for a budget that remains that of a small firm.

Outcome

The ten-year-old server is unplugged. For the team, nothing changed beyond new credentials: that was the goal.

Migrating the legacy

Preparation first: an audit of the existing setup, mounting the old server’s share read-only, then transfer with rsync: about 640 GB and 190,000 files in under 18 hours, zero errors. The physical installation happened on a Saturday, with the office closed; accounts, groups and shares were configured next, then the switchover cut access to the old server.

The pitfalls encountered, noted for next time: residual SMB sessions on the source server to purge before remounting the share, and Windows authentication heading for a nonexistent domain (the server was in fact not domain-joined): the local account had to be forced explicitly.

On the team side: everyone received their new credentials and entered them on their workstation. No perceived downtime.

Permission model & operations

The permission model follows a simple matrix: groups (management, staff) and specific permissions on certain folders. A new hire is handled by adding an account to the right group, without touching the shares.

Operations rely on the NAS’s built-in pieces: access and change logging, monitoring and alerts, file versioning. A runbook covers the scenarios that matter: restoring a file or a folder, a disk failure, loss of the whole unit.


This page contains no address, no network map, and no identifying equipment detail. It describes roles and decisions; specifics are shared in an interview.