Sunday, January 6, 2008

File Shares

Now that I've created a series of accounts, and added another account to the Domain Admins AD Group (default group set by Windows that allows almost as much domain control as Administrator does), it's time to set up another basic premise in a domain:

File shares.

Since I don't have a dedicated server for file shares, I'll have to impose another huge security risk by placing the fileshares on the Domain Controller itself. When available, I'll move them to another server, but for the current time--here they be.

I created a folder in the Root of C:\ called "Fileshares", and shared it out, adding the $ to the share, hiding it. I also modified security permissions on it, saying that the Authenticated Users AD Group has full control, but removing Everyone. This gives control to anyone who authenticates as a user within my domain to access this folder, and only them.

Going back to Active Directory Users and Computers, modify the properties on each object (in this case, the user accounts). Under the Profile tab, opt to use the Connect: option, mapping a drive letter to a folder located somewhere on the domain. Using the absolute folder structure, \\servername\sharename$\foldername is the naming convention. Since they're only mapping one drive, a logon script won't be necessary, however, with the addendum of a webserver coming later, I'll explore that option in the future.

I've opted to name the shares based on the username, keeping it simple; This is the user's personal share. After all the shares were created, I wanted to modify permissions on each folder, so that they couldn't access the contents of one another's drives. Whats the point of having separate folders when you can view them all? So, modify the folder, and under the Security tab, click Advanced. Still under Permissions, I've removed the check box for "Allow inheritable permissions from the parent to propage tot his object and all child objects. Include these with entries explicitly defined here." When prompted to copy or remove the permissions, I chose remove. I'll define the permissions thank you very much. Now we're left with only two permissions: Domain\Administrators, and the user account. Perfect. Only the admins and the user can access the folder. Everyone can see it, which is a danger, but for right now it'll do.

No comments: