Setting up a Microsoft File Server from scratch with Server 2012 is a piece of cake, and doesn’t really require much knowledge of NTFS permissions and Role Based Access Controls to implement. This tutorial is good for Microsoft Server 2012 and 2008, and assumes that you have separate roles in your organization with differing levels of access requirements per each business need. So, what we’ll be accomplishing in this tutorial is the installation of the File Server role on Server 2012, implementation of 3 Security Group enabled shares, and a concise explanation of permissions best practices. Let’s jump into it.
Step 1.) Make Sure Your Server Is Fully Updated
Since we’re starting out with a fresh server, I’m going to make sure that all recommended security updates and hot fixes are installed, as to avoid problems down the road. It’s generally a good idea to ensure your Microsoft Servers are up to date, but it’s especially important when you’re starting off with a fresh server like I am.
Windows Update 2012
Step 2.) Install The File & Storage Services Role
After your server is fully patched and has been restarted as needed, you can go ahead and install the File Server role from the Server Manager Snap-in. Go to Manage > Tools > and select the “File Server and Storage Services” role. While you can set up basic file sharing on Server 2012 without this role, it’s recommended to install it as it will give you additional tools and functionality that will come in handy down the road. It’s worth it for the ability to terminate open file sessions alone, especially if you work in a larger environment.
Install File And Storage Services
3.) Create Your Security Groups In Active Directory
After the File and Storage Services wizard has completed installation, it’s a good point to stop and create your Security Groups. The idea behind Security Groups is placing certain users within these groups, and then by virtue of their group membership they are allowed or denied access to shared resources. An example of this would be an “Accounting” group, which is pretty typical within any organization. The accounting group has access to sensitive company and employee financial information such as revenue reports, social security numbers, and other miscellaneous financial data. Needless to say, these accounting specific resources need to be restricted in terms of who can access it. So, fire up your Active Directory and create three new Security Groups as follows; one SG called “Accounting,” another SG titled “Management,” and one last Security Group labeled “General.” If you haven’t setup an Active Directory domain yet, you should check this post out and come back once you’ve setup a domain from scratch.
Note: In the Microsoft world, DENY permissions always override ALLOW permissions.
Creating New Security Group
4.) Create Your File Shares
Now that you’ve created your Security Groups, you’re going to create corresponding shares for each group. You’re going to want to place these shares on a separate volume in order to keep the data and windows volumes apart. This is a good best practice and will save you a lot of headaches if you ever have to rebuild or migrate this file server down the road. In my case, I’m going to create the new file shares on my “Data” volume. To create the new file share, simply right-click in the folder area and create a new folder – make sure to title each folder appropriately.
Creating New File Shares
5.) Configure Sharing & Group Permissions
Now that we’ve created our file shares, it’s time to make sure that the appropriate groups have access to each folder as necessary. In this example, Accounting and Management users are going to have access to all of the folders, and the General group will have access to the General share, but be denied access to the Accounting and Management shares. Right click on the Accounting and Management shares, then the Sharing tab, then select the appropriate groups.
Add Security Groups To A Share
Now that they have “Read” permissions, you need to adjust their level of permissions accordingly. It’s likely they are going to need the ability to edit and read files, so select the drop down arrows to the right of the groups and adjust their permissions accordingly. In this case, I want Management to have read-only access to the Accounting share, with the Accounting group having full read/write permissions. This is a consideration you want to think about as you are creating groups, and you always want to implement the concept of “least privileges” when it comes to access. Least privileges is simply giving users the minimum access necessary to do their job, and nothing more.
Setting Granular Group Permissions
Once you’ve set the permissions appropriately on the share, click on the Share button to commit the changes and designate this folder as a network folder. Now set folder permissions on the Management share the same as we did for the Accounting share, but grant the Management group full access, and provide the Accounting group with read-only permissions. Grant the General group read-write access to the General share only, and grant the Accounting and Management group read-write access to the General Share.
The idea here is that while the Management and Accounting groups need to be able to see each others work, they do not need the ability to perform each others work. Keeping this separation of job duties is crucial to protecting your data and sets you up with a “safety net” of sorts to prevent data tampering.
6.) Check Your Folder Permissions
Right click on each one of the newly created File Shares, and confirm that your group permissions look similar to the following.
For the Accounting Share :
Accounting Share Permissions
For the General Share :
General Share Permissions
And the Management Share :
Management Share Permissions
7.) Configure Your Shares To Map Automatically
Now that your shares have been created, and the permissions have been set appropriately, it’s time to automate the process of mapping them for users. This process will automatically “map” the shares to corresponding drive letters on the users local machine, and will make the administration process easier for you. There are several different ways to achieve this, but it’s 2013 and there’s no reason not to manage as much you can in one place. Open up the Server Management utility, and open up the Group Policy Management console. Select the “Default Domain Policy” and navigate to Computer Configuration > Policies > Windows Settings > Network Shares. At this point you’ll see the following :
Group Policy Network Shares
Now over in the right hand area simply right-click and create each network share as follows. Make sure the “Action” is set to “Update” as shown in the images below.
For the Accounting Share :
Accounting Shares
For the General Share :
General Shares
And for the Management Share :
Management Shares
At this point you simply need to wait for the Group Policy to apply itself automatically, have the users restart their workstations, or force the change by running :
gpupdate /force
on the users workstations to “push” the Group Policy out automatically. Congratulations on setting up your first file server and using group policy to map the network drives! Let me know if you have any questions or comments by leaving me a reply below.
