Forum Discussion

Djago's avatar
Djago
Copper Contributor
Jun 06, 2019
Solved

Best practices: sharing folders, NTFS+share permissions and the Everyone permissiion

Hi!   Trying to follow best practices on sharing data folders using security groups instead of users, I rolled down the hill and I can't go any further. I have a data folder shared on the network....
Active Directory
networking
security
Windows Server
  • dretzer's avatar
    dretzer
    Jun 13, 2019

    Djago 

    You should follow AGDLP.

    AGDLP means „Account -> Global Group -> Domain Local Group <- Permission“

     

    I give you an example how to implement this:

     

    You have a user „User1“. You want to use AGDLP to give Read/Write Permissions to a folder on a network share.

     

    First create a global group in Active Directory where you collect all users that need the same permissions. In our example I call this group „Department1“ and add „User1“ to it.

    Now create a folder on your file server and set NTFS permissions like this:

     

    Owner: Builtin Administrators

    Disable Inheritance

    Full Access: Builtin Administrators, SYSTEM

    Read Access (No Propagate): Authenticated Users

     

    The above would look in SDDL like this:

    O:BAG:DUD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;;FXFR;;;AU)

     

    Now share the folder and leave it’s share permissions on „Everyone/Full Control“.

     

    Next you create your subfolder, in our example „Folder1“. You also need to create a domain local group in Active Directory for this specific folder permission. I’ll name this group „Folder1.RW“.

     

    Now add the group „Folder1.RW“ to the NTFS permissions of Folder1 (keep inheritance) and set it’s permissions to „modify“ (you can set custom permissions, deselect „delete“ and select „delete subfolders and files“ instead, if you want to keep User1 from deleting the whole Folder1.

     

    In SDDL this would look like this on Folder1:

    O:BAG:DUD:AI(A;OICI;DTFXFWFR;;;S-1-5-21-3673288924-3378700394-847182531-3628)

     

    (S-1-5-21-3673288924-3378700394-847182531-3628 is the SID of your example group „Folder1.RW“)

     

    The last thing to do now is to make „Department1“ a member of „Folder1.RW“ and tell User1 to log off and on again. Now he should be able to access the file share and Read/Write inside of Folder1.

     

    If you want to use share permissions in addition to NTFS permissions (not necessary), I would set them like this:

     

    Everyone - Read

    Authenticated Users - Modify

    Builtin Administrators - Full Access

     

    I hope this gives you a starting point.

    I also recommend learning and unterstanding AGDLP, RBAC and SDDL. Especially if you need to implement more complex Scenarios in the future.

Djago's avatar
Djago
Copper Contributor
Jun 12, 2019

5 days, 184 views, 0 replys? Is it that obscure or that easy that no one try to answer? 8D

Resources