# SMB shares and NTFS permissions Goal: expose three shares on `DC01`, secure them with the AD groups created earlier, and verify permissions behave as expected. Note: in production, shares live on a dedicated file server, not on a DC. We simplify here. ## Shares to create | Share | Path | Access | |---|---|---| | `Common` | `C:\Shares\Common` | read for everyone, write for Direction/Teaching/Admin | | `Teaching` | `C:\Shares\Teaching` | restricted to GG_Teaching | | `Direction` | `C:\Shares\Direction` | restricted to GG_Direction | ## AGDLP reminder Permissions are **never** placed directly on global groups or users. They go on a **domain local group**, which contains the matching global groups. Example for `Common`: - Global groups: `GG_Teaching`, `GG_Students`, ... - DL groups: `DL_Share_Common_R` (read), `DL_Share_Common_RW` (write) - NTFS ACLs: set on `DL_Share_Common_R` and `DL_Share_Common_RW` - Nesting: - `GG_Students` member of `DL_Share_Common_R` - `GG_Teaching` member of `DL_Share_Common_RW` ## Create folders and shares ### GUI 1. Create `C:\Shares\Common` in Explorer 2. Right-click > `Properties > Sharing > Advanced Sharing` 3. Tick `Share this folder`, name the share, click `Permissions` 4. Remove `Everyone`, add the relevant AD groups with appropriate rights 5. `Security` tab > `Edit`: define NTFS ACLs 6. Disable inheritance if you want an explicit ACL ### PowerShell Key cmdlets: `New-SmbShare`, `Get-Acl`, `Set-Acl`, `FileSystemAccessRule`. ``` New-Item -Path C:\Shares\Common -ItemType Directory -Force New-SmbShare -Name "Common" -Path "C:\Shares\Common" ` -FullAccess "CORP\Domain Admins" ` -ReadAccess "CORP\DL_Share_Common_R" ` -ChangeAccess "CORP\DL_Share_Common_RW" ``` NTFS permissions: ``` $acl = Get-Acl "C:\Shares\Common" $rule = New-Object System.Security.AccessControl.FileSystemAccessRule( "CORP\DL_Share_Common_R", "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow") $acl.AddAccessRule($rule) Set-Acl "C:\Shares\Common" $acl ``` Repeat per (DL, rights) pair. ## Test from a Windows client On `PC01`, logged in as an AD user: ``` \\DC01\Common ``` via `Run` (`Win + R`) or the Explorer address bar. Tests: - as a `GG_Students` member: read OK, write denied - as a `GG_Teaching` member: read and write OK - attempt to access `\\DC01\Teaching` as a student: denied ## Test from Linux If `linux01` is domain-joined (see `07-join-linux-client.md`): ``` smbclient //DC01/Common -U pmartin% # then: ls put /etc/hostname ``` or mount via `cifs-utils`: ``` mkdir /mnt/common mount -t cifs //DC01/Common /mnt/common -o username=pmartin,domain=CORP ``` ## Notes - **Both** layers (Share and NTFS) apply. The effective access is the intersection. Common practice: `Full Control` at share level, then refine via NTFS. - An already-connected user does not see group membership changes until relogon (or `klist purge`). - Never ACL a user directly. They leave, you are left with cleanup. ## Next `06-join-windows-client.md` to join `PC01` and test these shares from a client.