Setting up the File Server, File Shares, permissions, and GPOs

Let’s continue building up this project with the File Server Setup.

Set up the File Server and its basic configurations:

We have a domain-joined Windows Server 2022 with the following specs:

• Hostname: BBM-FS01

• CPU: 2vCPUS

• RAM: 2 GB

• Disks:

  • OS (C): 30 GB.

  • Data (E): 50 GB.

Let’s create the Files/Folders:

First, review the drives:

Create a SHARES folder:

The SHARES folder will contain all folders per department:

Now let’s create the File Shares and Set up Permissions:

There are different ways to accomplish this.

1. File Explorer:

Properties, Share, Find People (Here we will add both of the groups created in the previous article, RO (Read Only) and RW (Read Write) with their permissions:

2. Server Manager - File and Storage Services - Shares:

New Share:

SMB Share - Quick:

Type a custom path, in this case E:\shares\it:

Specify Share name, in this case IT:

Leave all options blank:

Set up Permissions:

NOTE: There are different types of permissions (NTFS and Shares), and we will discuss them in deep in a separate article.

Now Let’s select both groups, IT-RW and IT-RO:

Assign the correct permissions based on the group - IT-RW:

Assign the correct permissions based on the group - IT-RO:

Verify they are showing now with the correct permissions:

Now we see both of our Shares active:

Now let’s rinse and repeat to have all our shares set up:

How to connect and verify the File Shares from domain-joined computers:

We can open File Explorer and type in: \\IP or \\Hostname (If DNS is correctly set up which is this case):

At this point, Matt (A member of IT-RO Group) can see ALL drives BUT ONLY access to IT:

Notice that if the user types in \\BBM-FS01 on the File Explorer, he will still see ALL other File Shares, this for some organizations is not accepted, let’s hide the Executives File Share:

1. Stop Sharing:

2. Select Advanced Sharing…

3. Share name, set it with a $ symbol at the end then set permissions accordingly:

4. Notice the Share Name: Executives$

Let’s test now:

We can access hidden File Shares with \\IP\FileShareName$ or \\Hostname\FileShareName$, in this case, \\bbm-fs01\executives$, notice we get an error due to not having permissions:

Let’s test from an Administrator session:

Bingo!

To wrap up, let’s take a quick look at the groups, we can see everyone should have the correct permissions based on the group to which they belong:

Let’s do another test:

Logging with Karl Sanders (IT Manager - member of IT-RW):

We can confirm the user can write on the share:

Let’s log in with Matt Sam (IT Associate - Member of IT-RO):

Not able to delete, write, or make any modifications:

NICE! … with that all set, let’s continue.

Setting up Group Policy Objects (GPOs):

NOTE: Group Policy Objects can be used to define many security, functionality, and deployment rules/policies (we will discuss them in depth in a separate article).

We will set up GPOs to automatically map the drives to the user’s file explorer whenever they log in.

Create the GPO:

Select Group Policy Management:

Right-click on the OU and select Create a GPO in this domain, and Link it here…

This will create the GPO and ONLY apply to the selected OU, IT.

We create, and set a name, in this case, I Drive, right-click and Edit:

Go to: User Configuration > Preferences > Windows Settings > Drive Maps:

Right-click on the central pane and select New > Mapped Drive

Fill out: Location, check Reconnect, Label as and Use (this will define what letter the drive will have once mapped):

Rinse and repeat and we will have all GPOs set up:

We verify the Finance (F) drive is automatically mapped upon the user: Avery (Member of Finance-RW) login:

And with this, we’ve set up the File Server for the users, making them ready to start working.

The next steps will be setting up Security GPOs, DFS, and an RDS (Remote Desktop Services).

Stay tuned for more content.

Thanks for reading!