Jun 05 2019 09:36 PM
Jun 05 2019 09:36 PM
Trying to follow best practices on sharing data folders using security groups instead of users, I rolled down the hill and I can't go any further.
I have a data folder shared on the network. The data is on my Server 2016 (I tried this on a Server 2012R2 and it does the same). Inside that folder, there is a subfolder that I want to give permissions. So I created a security group and give permission to that security group (following this link) and put a user into that group.
Then I tried to use it to no avail. The user can't access the folder. If I directly put the user in the permission list instead of using the security group, it works as expected. If I analyze the effective permissions, I get X everywhere for the group, with "Share" on the "Access limited by" column. But the network share is Everyone - Full Control (and no other in the list).
As you can see here, here, here or here, I'm not alone. The last post has the correct identification of the problem: the security group that I use is not included in the definition of Everyone for Microsoft, so I have to manually add the security group to the root share permission. But having dozens of security groups, adding all of them to the root share folder's permission list is not a funny thing to do.
So, what's the correct way of doing this?
Jun 11 2019 06:24 PM
5 days, 184 views, 0 replys? Is it that obscure or that easy that no one try to answer? 8D
Jun 13 2019 02:29 AM - edited Jun 13 2019 02:31 AMSolution
You should follow AGDLP.
AGDLP means „Account -> Global Group -> Domain Local Group <- Permission“
I give you an example how to implement this:
You have a user „User1“. You want to use AGDLP to give Read/Write Permissions to a folder on a network share.
First create a global group in Active Directory where you collect all users that need the same permissions. In our example I call this group „Department1“ and add „User1“ to it.
Now create a folder on your file server and set NTFS permissions like this:
Owner: Builtin Administrators
Full Access: Builtin Administrators, SYSTEM
Read Access (No Propagate): Authenticated Users
The above would look in SDDL like this:
Now share the folder and leave it’s share permissions on „Everyone/Full Control“.
Next you create your subfolder, in our example „Folder1“. You also need to create a domain local group in Active Directory for this specific folder permission. I’ll name this group „Folder1.RW“.
Now add the group „Folder1.RW“ to the NTFS permissions of Folder1 (keep inheritance) and set it’s permissions to „modify“ (you can set custom permissions, deselect „delete“ and select „delete subfolders and files“ instead, if you want to keep User1 from deleting the whole Folder1.
In SDDL this would look like this on Folder1:
(S-1-5-21-3673288924-3378700394-847182531-3628 is the SID of your example group „Folder1.RW“)
The last thing to do now is to make „Department1“ a member of „Folder1.RW“ and tell User1 to log off and on again. Now he should be able to access the file share and Read/Write inside of Folder1.
If you want to use share permissions in addition to NTFS permissions (not necessary), I would set them like this:
Everyone - Read
Authenticated Users - Modify
Builtin Administrators - Full Access
I hope this gives you a starting point.
I also recommend learning and unterstanding AGDLP, RBAC and SDDL. Especially if you need to implement more complex Scenarios in the future.
Jun 23 2019 09:51 PM
@dretzer THANKYOU THANKYOU THANKYOU THANKYOU!
Those steps were the same steps I've performed, almost...
I've followed your lead and nailed the problem. The permission group was a GLOBAL group, not a LOCAL one!
I've corrected that and everything works fine.
But I have a question. It's not a problem, it's only something I don't understand.
Suppose you have a group (Global Group), say SALES, that needs RW access to the Folder1 you created. I've SALES inside „Folder1.RW“.
If I ask for the "Effective access" for the group SALES, I have all denied (again, "Access limited by" says "Share, File permissions". BUT if I ask for a user inside SALES group, permissions are correctly displayed, so the SALES users can RW the content.
Why is that? Shouldn't the SALES group have the same Effective access as it's contained users?
Jun 24 2019 12:25 AM - edited Jun 24 2019 12:26 AM
@Djago When you evaluate users with the "effective access" tab in windows explorer, it actually evaluates the user-token. The token includes all group memberships, and as such you see the effective access for this user including all it's groups.
For groups there is no security token, so the same process only evaluates the group-access itself. You only see effective access for the group directly, not including the nested groups.
Since Win2012 you can add additional groups to the dialog and the help-text tells you as such.
You should take a look a the sysinternals tool "accessenum.exe" which you can download here: https://docs.microsoft.com/en-us/sysinternals/downloads/accessenum