- Microsoft Azure Virtual Machines
- Remote Desktop
- Active Directory Users and Computers
- Network Security Group
- Organization Units
- Windows 10 (21H2)
- Windows Server 2019 Datacenter (1809)
- Create sample file share folders with permissions
- Access file shares as a normal users
- Create an "ACCOUNTANTS" Sccurity Group, assign permissions, and test access
Create 2 instances of your remote desktop and log into the domain controller as an admin and your client PC as one of the users.
From your domain controller click on the Windows Explorer icon on your taskbar-->This PC-->Click on your C:\ drive to open its contents.
From your domain controller in the C:\ drive create 4 folders: "read-access", "write-access", "no-access", and "accounting".
In Windows C:\ drive right click the folder-->hover to Properties-->Click on the Sharing Tab-->Click on Share from the Sharing tab-->Type Domain Users in the bar above the name and permission level.
There will be a drop down menu that will allow you to select the permission level for your domain users. Check "Read" for the read-access folder, "Read/Write" for the write-access folder. Instead of adding domain users in the no-access folder, we will use domain admins instead and provide them with "Read/Write" access. This will give normal users no access to that folder.
We will go to the client PC and check folders for access in the following steps.
Once your permissions are set there, you can send and email of that shared folder or share the link into another app. In the individual items section, there will be a file path that you can copy and paste in a windows explorer search box that will take you to that specific folder.
Open each folder and create a text document that we can test for access when we log into the client virtual machine as a domain user. To create the document, right click on each folder-->hover to New-->hover to text document and click.
Once your file is created, type a sample text, go to File-->Save As-->Name your file-->Click Ok.
On Client-1, navigate to the shared by typing Run in the search bar-->type \\DC-1-->The network folder should populate in a new window.
Open the read-access folder-->Open your test file-->Attempt to edit the text and save the document. A dialog box will show that you have read access only.
Open the no-access folder. Upon clicking you will get a network error stating that you do not have access to this folder.
Go to DC-1 in Active Directory and create a organization unit _SECURITY_GROUP then add the group "ACCOUNTANTS" to that folder.
Create a security group "ACCOUNTANTS" in your organizational folder. Right click _SECRUITY_GROUP-->hover New-->hover to Group and click-->Type ACCOUNTANTS in the dialog box for group name-->click on the radio buttons global for group scope and security for group type-->Click Ok
On the "accounting" folder that was created earlier in DC-1 virtual machine, we are going to set the following permissions, for the "accounting folder, add the security group "ACCOUNTANTS" from the properties sharing tab. Give the group permission read/write permissions. Click on share.
On Client-1 virtual machine as a user, open Windows File Explorer-->Type\\DC-1 in the file location bar-->Click on the "accounting" folder to access the file.
An error message shows no access. The current user does not have access to the file folder. In the next step, we will go back to DC-1 virtual machine, and add the user to the security group for access to that folder.
On DC-1 virtual machine, add the user to the "ACCOUNTANTS" -->Click on _SECURITY_GROUPS-->Right click "ACCOUNTANTS"-->Click Properties-->Click on Members tab-->Click Add...-->Type the name of the user names in the object box-->Click Find Names-->When the user has been found in your directory, click Ok.
On the Client-1 virtual machine, click on Start-->click on the user-->click on Sign out to log off the virtual machine.
You will need to log off and on for the changes to take effect.
Log into your Client-1 virtual machine with your user credentials-->Open Windows File Explorer-->Type\\DC-1 in the file directory bar-->Click "accounting"-->Open the test file.
*If everything was done correctly, the file should open, and you should be able to edit the document and save it in the network folder.