Creating Shares On Server 2012Many experienced admins get this wrong. Here's how to do it right.
There are a 5 parts to this.
CREATE THE GROUP
- -login to server.
- -click ACTIVE-DIRECTORY-USERS-AND-COMPUTERS.
- -create an GROUP (aka SECURITY-GROUP).
- -add the users/members.
CREATE THE SHARE
- -create a folder.
- -right-click to PROPERTIES > SHARING.
- -click ADVANCED-SHARING.
- -checkmark SHARE-THIS-FOLDER.
- -if hidden, add a $ at the end.
ADD SHARE PERMISSIONS
- -click PERMISSIONS.
- -remove all groups/users.
- -add the GROUP required for this share.
- -checkmark FULL-CONTROL.
- -click OK > OK.
ADD NTFS PERMISSIONS
- -click SECURITY tab (at the top).
- -click ADVANCED (at the bottom).
- -click DISABLE ENHERITANCE.
- -click CONVERT INHERITED PERMISSIONS INTO EXPLICIT PERMISSIONS.
- -remove all groups/users except SYSTEM.
- -add the GROUP required for this share.
- -checkmark FULL-CONTROL.
- -click OK > APPLY.
TEST PERMISSIONS
- -click the EFFECTIVE ACCESS tab (at the top).
- -test the user/group you want to make sure can access.
BONUS: ONLY SHOW FOLDERS THE USER HAS ACCESS TO
If a user doesn't have access to "Accounting" folder, then that folder does not show.
This is called "Access Based Enumeration."
- -launch SERVER MANAGER (on the server).
- -click on FILE AND STORAGE SERVICES.
- -click on SHARES (on the left-hand side).
- -on EACH SHARE (one at a time), right click on the share and select PROPERTIES
- -expand SETTINGS.
- -click ENABLE ACCESS BASED ENUMERATION.
NOTES:
- -the EVERYONE group does not include everyone. This is why it should not be used.
- -the most restrictive permissions win.
- -the group is assigned to the user upon login. Consequently, the user will have to logout and login again to test if the share is working.