In this home lab, I demonstrate folder and file sharing, access permissions (Share-Level Permissions), network drive mapping, and user restrictions within an Active Directory environment populated using a custom X-Men–themed user creation script: Cerebro-AD-Creator
Before we start, let’s create an OU for our existing Groups (Executive, Finance, HR, Marketing, Operations, Sales, Security, Technology, All). On Domain Control (DC), go to "Active Directory and Users". Right-click on the domain > New > Organizational Unit
.PNG)
Type the name of the group, uncheck “Protect container from accidental deletion” and click OK.
.PNG)
Select all 9 groups shown below, then drag them into the new OU we just created.
.PNG)
Active Directory Domain Services will show a warning; click Yes.
.PNG)
Now, they are all located under the OU.
.PNG)
Click on Groups OU, then "Create a new group in the current container".
Type "Helpdesk" and click OK. This step is important as we will run a script later on. If this group doesn't exist by the time we run the script, it will fail.
.PNG)
Let's add the user with admin rights in this group, in our case, "Frank". Simply right-click on Frank > "Add to a group".
.PNG)
If you don't know where "Frank" is, click on "Find objects in ADDS".
.PNG)
Make sure "Entire Directory" is selected, type the user's name, Frank, and click on "Find now".
.PNG)
Right-click on the user and "Add to a group".
.PNG)
In the Name field, type Helpdesk. If you don't know the full group name, you can type a partial name, such as hel or helpd, then click the Check Names button. If no other group starts with those letters, the system will automatically complete the full name. If multiple groups match, a list of options will appear — simply select Helpdesk from the list.
.PNG)
On DC, go to the C Drive, create a folder, and name it "Shared". Right click > New Folder
.PNG)
Inside the main folder, create the following subfolders manually: Executive, Finance, HR, Marketing, Operations, Sales, Security, Technology, All and Helpdesk.
.PNG)
or via the script:Creating 10 folders
.PNG)
.PNG)
There are three types of Share-Level Permissions: Read, Change, and Full Control.
- Users with Read can view files and subfolders, open and read file contents, run executable files, but cannot make any modifications.
- Users with Change can create new files and folders, edit and modify existing files, delete files and folders, plus the actions that users with Read permission do.
- Users with Full Control can change permissions on the share, take ownership of files, plus the actions that users with Change permission do.
In this lab, each department will have its own folder, while the Helpdesk is granted Full Control over all folders to act as the central management group. The Executives will be granted Change permission on all folders. On DC, go to Local Disk > Shared. Right-click on the Executives folder, then "Properties"
.PNG)
"Executive properties" will open. Click on the "Sharing" tab, then "Advanced Sharing". A new window will open. Check "Share this folder" option. Click on "Permissions". Permissions window will open. Click on "Add" and another window will open. In this window, we will select the groups that we want to give access to. Type "Executives" and "Helpdesk" and click OK.
.PNG)
First, click on "Everyone" then "Remove". Next, click on "Executive" group and check "Allow" option for Change.
.PNG)
Click on "Helpdesk" group and check "Allow" option for Change and Full Control.
.PNG)
Now, we have to assign permissions to other groups. For example, the Marketing group should access "Marketing" and "All Employees" folders, but should not access any other folders. Meanwhile, the Executive group and the Helpdesk group should be able to access this "Marketing" folder. If you don't want to give permissions to other groups manually, you can run Assign Permissions script.
.PNG)
.PNG)
This script automates permission assignment by mapping each department folder to its corresponding security group with read-only access, while granting the "Helpdesk" group full control across all folders. It also gives the "Executive" group Change permission and removes default inherited permissions for the “Everyone” group.
As seen below, Hank McCoy (Username: Beast) is Chief Technology Officer and in the Executive Group.
.PNG)
When he signs in,
.PNG)
He can access all folders. He can access the Executive folder.
.PNG)
He can access the Technology folder.
.PNG)
He can access the Marketing folder.
.PNG)
Meanwhile, Booby Drake (Username: Iceman) is the Creative Marketing Director and in the Marketing Group.
.PNG)
When he signs in,
.PNG)
He can access the Marketing folder.
.PNG)
But he cannot access the Sales folder.
.PNG)
Mapping a drive is the process of assigning a network shared folder or resource to a drive letter on a user's computer, so it appears like a local drive. Go to File Explorer and right-click on Network > Map network drive
.PNG)
Give a drive letter and type the path of the folder or resource, in our case, \DC01\Marketing > Finish.
.PNG)
Once it is done, it will appear under Network Locations when you click "This PC". You can also drag it to the Desktop to create a shortcut to that drive.
.PNG)
In real network environments, sharing folders through Active Directory keeps data secure, organized, accessible, and easy to manage across an entire organization. However, sharing large files or using the company storage as personal storage areas can cause several issues if not managed properly, such as network performance, storage space, slow file access, backup time, and version conflicts. Thus, it needs to be carefully managed to avoid performance, storage, and collaboration issues.
We may want to prevent users from uploading large or non-business-related files (such as .mp4 videos) to shared folders. This can be achieved by configuring File Server Resource Manager (FSRM). Let's restrict the "All Employees" folder so users cannot upload MP3 or MP4 files. On the DC, run Server Manager, Manage > Add Roles and Features.
.PNG)
Wizard will start. Click on "Next" until you see the "Select Server Roles" page. Click on "File Server Resource Manager".
.PNG)
Click "Add Features". Proceed with the installation, as we don't have to change any default settings. Once the installation is done, click "Close" to close the wizard. On Server Manager, click on Tools > File Server Resource Manager.
On FSRM, click on "File Screening Management" under File Server Resource Manager (Local). Then File Screens. Right-click on the blank page and "Create File Screen".
.PNG)
Click "Browse" for the path you want to restrict,
.PNG)
C:\Shared\All Employees, in our case
.PNG)
Select the appropriate option, "Block Audio and Video Files" in our case
.PNG)
Click the "Create" button.
.PNG)
Let's try to upload an MP4 file with Booby Drake (Username: Iceman)
When the user tries to upload the file to "All Employees" folder...
.PNG)
... access would be denied.
.PNG)
If we go to Event Viewer from Server Manager > Tools > Event Viewer
.PNG)
Click on "Windows Logs" under "Event Viewer (Local)", then "Application". We can see a Warning that states "The system detected that user Iceman attempted to save an MP4 file on C:\Shared\All Employees on server DC01. This file matches the "Audio and Video Files" file group which is not permitted on the system.
.PNG)