Skip to content

salvdevlops/Departmental-File-Permissions-Lab

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 

Repository files navigation

Configuring Shared Folders, Security Groups, and NTFS Permissions in Active Directory

Overview

This lab sets up a shared Company Data folder structure on the file server, creates AGDLP-style security groups in Active Directory, applies NTFS permissions so each department can only reach its own folder, and configures share-level permissions following the standard best practice of leaving the share wide open and doing the real restriction at the NTFS layer.

Tools Used

  • File Explorer (Windows Server)
  • Active Directory Users and Computers (ADUC)
  • NTFS Security settings
  • Advanced Sharing settings

Environment

  • Windows Server acting as both file server and domain controller
  • AD domain with department-based OU structure (from the previous lab)

Step 1: Create the Shared Data Folder Structure

On the Windows Server, open File Explorer → This PC → C: drive, and create a new folder named Company Data.

image

Inside Company Data, create four department subfolders: HR, IT, Finance, and Public.

image

Step 2: Create Security Groups in Active Directory

Right-click the Users OU → NewGroup, and create one security group per department.

Why the GG_ prefix?

Every AD group has two separate properties:

  • Type — Security or Distribution. Security groups can have permissions assigned to them; Distribution groups are mail-only and can't hold NTFS or share permissions.
  • Scope — Domain Local, Global, or Universal. This controls where the group can be used and what it can contain.

Naming it SG_ (security group) wouldn't tell you much — every group used for permissions is already a security group, since Distribution groups can't hold ACL entries at all. The scope is what's actually worth flagging in the name, because of the AGDLP model:

Accounts → Global Groups → Domain Local Groups → Permissions

Users go into Global Groups (e.g., GG_HR_Staff). Those Global Groups get nested into Domain Local Groups, which is where the permission actually gets assigned (e.g., DL_CompanyData_HR_Modify). The GG_ prefix signals "this is a role/department membership group," while a DL_ prefix signals "this is a permission-assignment group."

image

Step 3: Assign NTFS Permissions for the HR Folder

Go back to the Company Data folder, right-click HRPropertiesSecurity tab → EditAdd, and type GG_HR_Staff. Give the group Modify permission.

image image

Step 4: Remove Inherited Permissions

By default, the HR folder inherits permissions from Company Data, which means other departments still have access. To fix that:

  1. Go to the Security tab → Advanced.
  2. Click Disable inheritance.
  3. Choose Convert (not Remove).

Convert copies the existing permissions over first, so you can safely edit them from there. Choosing Remove instead would wipe everything out immediately — including your own access and the admin account's access. Convert keeps everything in place so nothing breaks while you clean it up.

image

Step 5: Remove Unauthorized Groups

With inheritance converted, remove any groups that shouldn't have access to the HR folder, leaving only GG_HR_Staff (plus the necessary admin/system accounts). Click Apply, then OK to save.

image

Step 6: Repeat for the Remaining Departments

Repeat Steps 3–5 for the IT, Finance, and Public folders, using each department's matching security group.

Note: the screenshot here was a duplicate of the one in Step 5 — swap in the actual IT/Finance/Public screenshots before publishing.

Step 7: Configure Share Permissions

Finally, configure share-level permissions. Right-click Company DataPropertiesSharing tab → Advanced Sharing → check Share this folderPermissions, and set Everyone to Full Control.

Tip: This looks backwards at first, but it's the standard approach. When a folder is accessed over the network, both the share permission and the NTFS permission apply — and Windows always enforces whichever one is more restrictive. By leaving the share permission wide open (Everyone – Full Control) and doing all the real restriction at the NTFS level, you only have one set of permissions to manage instead of keeping two separate permission layers in sync.


Key Takeaways

  • GG_ = who's in the group, DL_ = where the permission lives. Users go in Global Groups, Global Groups go in Domain Local Groups, permissions go on the Domain Local Group.
  • Always hit Convert, not Remove, when disabling inheritance — Remove can lock you out of your own folder.
  • Share permissions: leave it at Everyone/Full Control. NTFS is what actually locks the folder down.

About

Lab walkthrough: building a departmental shared folder structure, creating AGDLP-style security groups, and locking down access with NTFS and share permissions.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors