This lab sets up a shared Company Data folder structure on the file server, creates AGDLP-style security groups in Active Directory, applies NTFS permissions so each department can only reach its own folder, and configures share-level permissions following the standard best practice of leaving the share wide open and doing the real restriction at the NTFS layer.
- File Explorer (Windows Server)
- Active Directory Users and Computers (ADUC)
- NTFS Security settings
- Advanced Sharing settings
- Windows Server acting as both file server and domain controller
- AD domain with department-based OU structure (from the previous lab)
On the Windows Server, open File Explorer → This PC → C: drive, and create a new folder named Company Data.
Inside Company Data, create four department subfolders: HR, IT, Finance, and Public.
Right-click the Users OU → New → Group, and create one security group per department.
Why the GG_ prefix?
Every AD group has two separate properties:
- Type — Security or Distribution. Security groups can have permissions assigned to them; Distribution groups are mail-only and can't hold NTFS or share permissions.
- Scope — Domain Local, Global, or Universal. This controls where the group can be used and what it can contain.
Naming it SG_ (security group) wouldn't tell you much — every group used for permissions is already a security group, since Distribution groups can't hold ACL entries at all. The scope is what's actually worth flagging in the name, because of the AGDLP model:
Accounts → Global Groups → Domain Local Groups → Permissions
Users go into Global Groups (e.g., GG_HR_Staff). Those Global Groups get nested into Domain Local Groups, which is where the permission actually gets assigned (e.g., DL_CompanyData_HR_Modify). The GG_ prefix signals "this is a role/department membership group," while a DL_ prefix signals "this is a permission-assignment group."
Go back to the Company Data folder, right-click HR → Properties → Security tab → Edit → Add, and type GG_HR_Staff. Give the group Modify permission.
By default, the HR folder inherits permissions from Company Data, which means other departments still have access. To fix that:
- Go to the Security tab → Advanced.
- Click Disable inheritance.
- Choose Convert (not Remove).
Convert copies the existing permissions over first, so you can safely edit them from there. Choosing Remove instead would wipe everything out immediately — including your own access and the admin account's access. Convert keeps everything in place so nothing breaks while you clean it up.
With inheritance converted, remove any groups that shouldn't have access to the HR folder, leaving only GG_HR_Staff (plus the necessary admin/system accounts). Click Apply, then OK to save.
Repeat Steps 3–5 for the IT, Finance, and Public folders, using each department's matching security group.
Note: the screenshot here was a duplicate of the one in Step 5 — swap in the actual IT/Finance/Public screenshots before publishing.
Finally, configure share-level permissions. Right-click Company Data → Properties → Sharing tab → Advanced Sharing → check Share this folder → Permissions, and set Everyone to Full Control.
Tip: This looks backwards at first, but it's the standard approach. When a folder is accessed over the network, both the share permission and the NTFS permission apply — and Windows always enforces whichever one is more restrictive. By leaving the share permission wide open (
Everyone– Full Control) and doing all the real restriction at the NTFS level, you only have one set of permissions to manage instead of keeping two separate permission layers in sync.
GG_= who's in the group,DL_= where the permission lives. Users go in Global Groups, Global Groups go in Domain Local Groups, permissions go on the Domain Local Group.- Always hit Convert, not Remove, when disabling inheritance — Remove can lock you out of your own folder.
- Share permissions: leave it at Everyone/Full Control. NTFS is what actually locks the folder down.