Windows Lab 8 - Creating Groups and Shared Folders

Introduction

In this lab we're going to create some shared folders where ours users can store data. We want to make sure only the correct people can access the data so we'll be applying permissions to these shared folders.

Creating Security Groups

In a previous lab we created Organizational Units to organize our users based on their department. It's important to remember that OUs are only used for organizational purposes and can not be used control access to network resources. Being in the Human Resources OU does not give you access to Human Resources data. For that we need to create security groups. We're going to create groups for our departments and a group to hold all staff members.

Make sure you have both servers running for this lab, the client isn't needed. Log into Server01 and open Active Directory Administrative Center.

Before we start creating security groups we'll want to create an OU to hold our security groups. This will help us keep our domain organized. Select the GotoHull Users, if it's not bookmarked on the left side click the arrow next to the domain name and select the Goto Users OU. Once selected click New on the right side, then Organizational Unit to create a new OU in the Goto Users OU.

Name the OU Security Groups and click Ok.

Now that we have the new Security Groups OU we can open it up so we can create our Security Groups. Double click Security Groups.

While in the Security Groups OU click New then click Group.

kFirst we're going to create a security group for the Accounting department. Type in Accounting for the name. It will fill out the SamAccountName at the same time. Click Ok.

Repeat those steps to create groups for the departments listed below. You'll also create a group for all staff members, and another for people who will be responsible for managing the shares we're going to create later.

  • Human Resources

  • Information Technology

  • Marketing

  • Purchasing

  • Quality

  • Sales

  • Staff

  • File Server Administrators

Add Users to Our Groups

The groups have been created, but they won't work unless user accounts are added to the groups. There are different ways to complete this task, we're going to look at a couple.

In Active Directory Administrative Center switch to tree view by clicking the icon on the left side above the domain. This will show us the tree structure of Active Directory. We're going to be switching between multiple OUs and this view will make that a little bit easier. Branch open gotohull (local) then GotoHull Users and click on Accounting. Select a user in the list and hit CTRL+A on the keyboard to select all users. Then click the Add to group link on the right side.

Type in Accounting and click Check Names. If all goes well Accounting will become underlined. Click Ok. That will add all the users in the Accounting OU to the Accounting group. Repeat these steps for all the users in the remaining OUs. When you're done all the users should be in the appropriate groups based on their department.

Switch back to list view and select the Security Groups OU on the left side. If it's not on the side you can browse for it using the arrow next to the domain. At this point all the groups should have users in them with the exception of the Staff group. We're going to look at that next.

In order to add all the users to the Staff group we're going to do it using PowerShell. Open PowerShell.

First we will need to import the Active Directory module so we'll be able to interact with Active Directory in PowerShell. We'll user the Import-Module cmdlet* to do this. Type the following and hit enter.

    • Import-Module ActiveDirectory

Now we're going to use the Get-ADUsers cmdlet to return a list of users in ActiveDirectory. We don't want all users in Active Directory, we only want the accounts that represent people in our environment. There are many other built in accounts in Active Directory that we don't want in the Staff group. We set the SearchBase to the distinguished name of our GotoHull Users OU. This way it will only find the user account we created. If you type in Get-ADUser -Filter * -SearchBase "OU=GotoHull Users,DC=GotoHull,DC=com" and hit enter you'll see a ling list of your user accounts scroll by. Instead of printing the users to the screen we want to add them to the Staff group. To do this we're going to use the pipe command that will send the results of one command into another command. We're going to pipe the users into the Add-ADPrincipalGroupMembership cmdlet. Type the following and press enter.

  • Get-ADUser -Filter * -SearchBase "OU=GotoHull Users,DC=GotoHull,DC=com" | Add-ADPrincipalGroupMembership -MemberOf "Staff"

That's it, now all your users are in the Staff group. You could turn those two commands into a script that runs nightly to add all users in the GotoHull Users OU to the Staff group. This way if you create a new account and forget to add them to the Staff group the script will do it for you.

We can run one more command to make sure the accounts were added to the Staff group. We'll use the Get-ADGroup cmdlet to return the member count property of the group. Type the following and hit enter.

  • (Get-ADGroup "Staff" -Properties *).Member.Count

The result should be 211. If you want to verify you added all the users to the other groups you could modify the command and look at each of the other groups. If you choose to do so below is how many users should be in each group.

  • Accounting: 29

  • Human Resources: 36

  • Information Technology: 26

  • Marketing: 26

  • Purchasing: 23

  • Quality: 37

  • Sales: 33

*A cmdlet is command in PowerShell that's made up of a verb and noun. With the cmdlet Import-Module Import is the verb and Module is the noun.

Create Shared Folders

We're ready to start creating our shared folders and securing them so that only the correct people will be able to access data.

You can close everything and open File Explorer.

In File Explorer click the arrow in the upper right corner to expand the ribbon. The ribbon will give us quick access to some of the common tasks that we'll perform.

We're going to create a single folder that holds all our shared folders. We're going to call the folder Shared Data and put it in the root of the C:\ drive. The Shared Data folder itself won't be shared, each folder within Shared Data will be shared. Click Local Disk (C:) on the left side. With the C:\ drive selected click the New Folder button in the ribbon. Type in Shared Data for the name of the folder.

Open up the Shared Data folder and create the following folders inside Shared Data.

    • Apps

    • Common

    • Home

    • Public

Now that we have the folders created we need to share them and setup permissions. We're going to start with the Home folder. This will contain a folder for each person and each person will have exclusive access to their folder. It will be a centralized place where they can store their own data and will be accessible from any computer they log in to. Select the Home folder then click Properties.

In the properties window click the Sharing tab followed by the Advanced Sharing button.

In the Advanced Sharing box click the Share this folder box then click the Permissions button.

In this box we'll be controlling the share level permissions. We want to removed the default Access Control Entries (ACE) by selecting each one and clicking the Remove button.

Once the Access Control List (ACL) is empty click the Add button to add a new ACE.

First we're going to add Domain Admins and click Check Names. Once Domain Admins is underlined click Ok. Repeat these steps to add Staff and File Server Administrators.

We're going to set the permissions for Domain Admins by clicking Domain Admins in the ACL and click Full Control under the allow column. Do the same for File Server Administrators group.

We're only going to give the Staff group change access at the share level. We'll get more granular with permissions on each subfolder using NTFS permissions. Since each user will need to be able to write to their own folder we need to give them change access at the share level. Select the Staff group and check the box to allow Change access then click Ok.

We're done with the sharing settings so click Ok.

Now we're going to move on to the NTFS permissions. Click the Security tab.

There's not much we can do at this screen. If we click Edit we'll only be able to add ACEs to the ACL. We want to remove all the existing ACEs before add what we want. We won't be able to do this until we disable inheritance. The existing settings are being pushed to this folder from the parent folder, we're going to turn them off. Click Advanced.

Click the Disable inheritance button at the bottom of the window.

When you click the button it will ask you what you want to do with the existing inherited permissions. We want to delete them so click Remove all inherited permissions from this object.

We have an empty ACL, now we can add our own ACEs. Click the Add button.

Click Select a principal to chose what you want to add to the ACL.

Type in Domain Admins and click Check Names, once Domain Admins is underlined you can click Ok.

We want Domain Admins to have Full Control of the folder. Check the box for Full control. Click Ok. Repeat this step for the File Server Administrators group.

Do the same thing for the Staff group. When this is all done we'll have a folder for each user in this folder. We'll want each user to have exclusive access to their own folder. If we set "Apples to" for the Staff group access to "This folder, subfolder and files" then everyone will be able to access each others folders. We don't want this so we're going to change "Applies to" to This folder only.

Granting the Staff group read only access will let them into the home folder so they can get to their own subfolder. They won't be able to create data in the root of the home folder, but they will have rights to their own folder within this folder. Click Ok.

We've setup the ACL the way we want it, click Ok.

Click Close. Now that you've learned how to share folders and configure permissions share out the remaining folders with the following settings. On all the NTFS permissions you'll keep the default "Applies" to of "This folder, subfolders and files" unless otherwise stated.

  • Apps

    • Share name - Apps

    • Share permissions

      • Domain Admins: Full Control

      • File Server Administrators: Full Control

      • Staff: Read

    • NTFS Permissions

      • Domain Admins: Full Control

      • File Server Administrators: Full Control

      • Staff: Read & Execute, List Folder Contents, Read

  • Common

    • Share name - Common

    • Share permissions

      • Domain Admins: Full Control

      • File Server Administrators: Full Control

      • Staff: Change

    • NTFS Permissions

      • Domain Admins: Full Control

      • File Server Administrators: Full Control

      • Staff: Read & Execute, List Folder Contents, Read - Set "Applied to" to This folder only

  • Public

    • Share name - Public

    • Share permissions

      • Domain Admins: Full Control

      • File Server Administrators: Full Control

      • Staff: Change

    • NTFS Permissions

    • Domain Admins: Full Control

    • File Server Administrators: Full Control

    • Staff: Modify, Read & Execute, List Folder Contents, Read, Write

Creating Home Folders for Users

We're going to create home folders for our users. Now that we have a spot to store the home folders we're going to use Active Directory Users and Computers to create them. This is an alternative tool for managing Active Directory that presents Active Directory in tree view. Unfortunately the ability to create home folders hasn't been moved to Active Directory Administrative Center so we need to use Users and Computer to complete the task.

Use Server Manager to open Active Directory Users and Computers by clicking the Tools drop down and selecting Active Directory Users and Computers.

The layout of Active Directory Users and Computers looks very similar to the tree view of Active Directory Administrative Center. Click the triangles to branch open the domain gotohull.com, then the OU GotoHull Users and click on Accounting. On the right you'll see all the user accounts in the Accounting OU. We want to create home folders for each of them. Click on one user then press CTRL+A to select all the users. Right click on any user in the list and click Properties.

This will open the properties page for multiple users. From here we can make changes to all the Accounting users at once. Click the Profile tab.

We're going to use this to set the home folder property of the account. Active Directory Users and Computer will create the folders if they don't already exist. You can set this property using Active Directory Administrative Center but it won't actually create the folders. Check the box for Home folder then click the radial button for Connect and set the drive letter to H:. In the To box you're going to type in the UNC (Universal Naming Convention) path to the users home folder. Type in \\Server01\Home\%USERNAME% This will use the variable "username" which will be replaced with the user's username when you click Ok. Click Ok.

After you close the window open File Explorer and browse to "C:\Shared Data\Home". You will see 29 folders, one for each user in the accounting department. Now we want to create home folders for the remainder of our users. Repeat the steps above with all the users in the following OUs.

  • Human Resources

  • Information Technology

  • Marketing

  • Purchasing

  • Quality

  • Sales

After you've created home folders for everyone in your OUs you'll want to create a home folder for your own account. Follow the same steps to create a folder for your account. You'll notice it looks slightly different when you're modifying one account verses modifying multiple accounts.

Once complete you should see 211 folders in "C:\Shared Data\Home".

Pick a folder and open it's properties by clicking on a folder and clicking the Properties button in the ribbon.

Click the Security tab and look at the ACL. Notice, Active Directory Users and Computer added two ACEs, the user and Administrators. Also, the Staff group isn't there because we told it to only apply to the parent folder and not the subfolders. Click Ok.

Turn on Client01 if it isn't already running and log in with your account. Open File Explorer and you select This PC on the left side. You should see your personal network folder listed as the H: drive.

Creating Department Folders

Now we're going to create folders for each department under the common share. Then we're going to modify the permissions so only the department members will be able to access the data. We'll also create an All Staff folder that can be used by the HR department to make available the different resources they need to provide to all staff.

On Server01 browse to C:\Shared Data\Common and create a folder for each department. We're also going to create a folder for all staff members. Create the folders below.

  • Accounting

  • Human Resources

  • Information Technology

  • Marketing

  • Purchasing

  • Quality

  • Sales

  • _All Staff

Open the properties of the Accounting folder and click the Security tab. Then click the Edit button.

Click the Add button to add an ACE to the ACL.

Type in Accounting for the group name and hit Check Names, then click Ok.

Give the Accounting group Modify access to the Accounting folder and click Ok and Ok to close the windows. Repeat these steps to give each department modify access to their own folder.

After each department has access to its own folder modify the ACL on _All Staff. Add the Human Resources group with Modify access.

Then add Staff with default, Read Only access. This will create a spot where the human resources department can place forms and other documents that staff members will need. Staff members will be able to go in and read the information, but not change or delete it.

We're going to test the setup by logging into the client as a member of the human resources department. Log into Client01 as Crystal Ball. cball - P@ssw0rd

Open File Explorer and type in the UNC path to the common folder in the address bar and hit enter. \\Server01\Common

You'll see all the department folders in the Common share.

If you open the Human Resources folder you'll have the ability to create data in the folder because you're a member of the Human Resources group.

And since the _All Staff folder can be written to by the Human Resources group you can create data there too.

But if you try to access the Accounting folder it will not open. You'll get a message telling you that you don't have permission to access the resource.

We can actually hide folders that users don't have access to by enabling Access Based Enumeration on the Common share. On Server01 open the Server Manager and click File and Storage Services on the left.

Click on Shares.

Right click on the Common share and click Properties.

Click Settings on the left and check Enable access-based enumeration then click Ok.

Log off Client01 and log back in as Crystal Ball and open \\Server01\Common and you'll only be able to see the folders you have access to.

Once you've completed shut down all virtual machines and take snap shots of all of them named Lab 8 Complete.

Questions

Answer the lab questions.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10