In a Windows based network chances are high that you’ll have to deal with file sharing and permissions. Here I’ll be giving and overview of permissions followed by showing you some examples. Lets get to it!
First up lets dive in to Permissions. In Windows we have 2 independent types of permissions, Share Permissions and NTFS Permissions. Anybody on the network trying to connect to a Share is going to have to deal with Share Permissions and NTFS Permissions meaning both would have to allow you access. However locally (if you’re sitting at the computer storing the files itself) Share Permissions won’t come in to play at all, only NTFS Permissions will determine if you can access folders or not.
Because NTFS Permissions and Share Permissions determine access to Shares for users on the network we will be able to set Share Permissions to the “Everyone” group and manage final access with only NTFS Permissions.
For this LAB environment I’m going to create a Shares folder on the C drive. We’ll go ahead and set the Share Permissions to everyone for this folder.
That’s it for creating the Share as this sets the Share Permissions and NTFS Permissions for us. Now we only need to focus on NTFS Permissions.
I’ve gone and setup some users and groups to play with inside of an Organizational Unit (OU). Bob and Sam are part of the People group. CEO is part of the CEO grp group. I also have the CEO grp group in the People group so that the CEO can keep an eye on Bob and Sam’s work.
I’ve also gone and created some folders within the Shares folder for us to edit the permissions of.
To change the NTFS Permissions we’ll first need to disable inherited permissions. By default it’ll be on for all folders you create in the Shares folder meaning we can’t remove the Everyone group from subfolders within the Share unless we disable inheritance first.
Once you’ve done that, click OK and you’ll now be able to edit the NTFS Permissions however you like. We can edit the CEO’s folder so that only they have permission to it now.
Remove the Everyone group, click add and type the group you would like to add.
I did the same to the Work folder, removing the Everyone group and adding the People group. Now when the User Sam tries to view the share this is what they see.
However when the CEO view the share they see this.
Mapping at login
To map this Share at login we’ll make a quick GPO. Open the Group Policy Management window from Server Manager > Tools (Top right). Expand down to your Domain name, Right click it and Select Create a GPU in this domain, and Link it here….
Pick a name and click OK. Right click the new GPO and click Edit.
In the new Window, expand down User Configuration > Preferences > Windows Settings > Drive Maps. Right click Drive Maps and go New > Mapped Drive.
We can enter the network path for the drive here and we have many other options.
Action Update will create the map if it doesn’t already exist and update it if it does.
Location is the path to the Share.
Reconnect will make it automatically connect the drive
Lable as will be the name
Drive Letter network drives normally start from Z and go backwards through the alphabet.
Click OK and you’re done. Repeat this as many times as you need to if you’re adding more network shares. You’ll need to log out and back in to any client computers for this to take effect or type “gpupdate /force” in to cmd.
Once you log back in you should see the drive mapped automatically.