Skip to main content

Configuring and Understanding Windows File Permissions in Active Directory

·3 mins
Windows Azure Active Directory
Table of Contents

In this lab, we will explore File Permissions in a domain environment managed through Active Directory. Using two virtual machines from a previous lab, log in to the domain controller as an administrator and to the client machine as a regular domain user. This setup allows us to demonstrate how permissions are configured and tested in a domain environment.

Environments and Technologies Used #

  • Microsoft Azure
  • Remote Desktop
  • Active Directory Domain Services

Operating Systems Used #

  • Windows Server 2022
  • Windows 10 Pro (22H2)

Creating Folders and Assigning Permissions #

Inside the domain controller create folders inside the C: folder named:

  • read-access
  • write-access
  • no-access
  • accounting

Image
Folder Creations

Share the read-access and write-access folders with the Domain Users group. Ensure that the write-access folder is configured with both read AND write permissions.

read-access
write-access

Share the no-access folder with the Domain Admins group, but not with the Domain Users group. Assign read and write permissions to the Domain Admins.

Image
no-access sharing permissions

Testing Permissions as a Domain User #

Log in to client-1 as a regular domain user. For this example, we’ll use Jack.Smith. Open the search bar in Explorer and enter the following:

\\<name_of_domain> (e.g., \\dc)

You’ll be brought to the following screen:

Image
Network Share From Client Side

Now, let’s verify the applied permissions. Navigate to the read-access folder. You will be able to open the folder, but you will NOT have permission to create files or folders inside it, as shown below:

Image
Write Permission Denied

However, if you navigate to the write-access folder, you will have permission to create files and folders, as demonstrated below:

Image
Read and Write Permission

If you attempt to access the no-access folder, you will be unable to view its contents because you do not have read permissions.

Image
No Read or Write Permission

Creating the Accountants Group #

For the accounts folder, we will grant read and write access to a group named Accountants, which we will create.

To keep things organized, create an Organizational Unit (OU) named _GROUPS and place the Accountants group within it.

New Org Unit
Accounts Group

Sharing the Accountants Folder with the Group #

Next, share the accounting folder with the Accountants group.

Image
Accounts Folder Sharing

Return to the client VM and refresh Explorer. You will see the new folder that was created. However, if you attempt to view its contents, you will encounter the following message:

Image
Unable to Access Accounting Folder

Adding a Domain User to the Accountants Group #

Log out of the client VM, return to the domain controller, and open the Accountants group’s properties to add Jack.Smith as a member.

Image
Add Jack Smith to Accountants Group

Log back into the client VM, and you will now have access to the folder and be able to write files to it.

Image
Jack Smith is now Allowed

What I Learned #

In this lab, I explored how to configure and test file permissions in a Windows Active Directory domain environment. I set up shared folders with varying levels of access for different groups, verified permissions from a client machine, and learned how to organize and manage security groups within Organizational Units (OUs). Additionally, I saw how dynamically adding a user to a group updates their access permissions for shared resources.