The part that worries me
As a large org with BYOD policies and SMB enabled (with passwords on anything writeable) is the risk of someone getting infected externally then scrambling the samba file shares despite them residing on *nixen.
Yes they're backed up every night and yes I have triggers picking up if too many SHA256 signatures change in any given file share, but the restoration time is still a hassle.
Vista has only just gone "end of life" - which means it's a sacking offence to connect one to the network here without written permission, but Win7 is still alive (barely), so there's still a risk.
Perhaps monitored canary traps/honeypots are an appropriate defence against this kind of thing.