question

HansliTester-4671 avatar image
0 Votes"
HansliTester-4671 asked HansliTester-4671 answered

AADDS but no local DC - how to share and access folders with NTFS permission

Hi, I have probably misunderstood the possibilities while reading docs for weeks now. Am I right, that it is not possible to share in local folder (in LAN on joined W10) to other LAN users, by just using Azure AD and Azure AD DS. Is it correct, to simply share inside LAN some folders, I definitely need an DC?
Cheers, Hansli

azure-ad-domain-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image
0 Votes"
sikumars answered

Hello @HansliTester-4671,

Thanks for reaching out and welcome to Microsoft Q&A forum community !!!

Yes, you are right but when you create an Azure AD DS managed domain (Ex: aaddscontoso.com) then Two Windows Server domain controllers (DCs) are deployed into your selected Azure region. This deployment of DCs is known as a replica set.

Azure Active Directory Domain Services (Azure AD DS) provides managed domain services with a subset of fully-compatible traditional AD DS features such as domain join, group policy, LDAP, and Kerberos / NTLM authentication.

Hence sharing file must work as long as Azure VMs are joined to Azure AD Domain Services ( not Azure AD joined which is different concept) and you can add new AADDS user to manage permission as shown below but when you use AADDS you don't have Domain Administrator or Enterprise Administrator permissions on a managed domain, these permissions are reserved by the service and aren't made available to users within the tenant.

111952-image.png

so with this scenario, AADDS lets you perform some privileged operations with file share permission for which "Domain Administrator" or "Enterprise Administrator" permissions doesn't require.

For example: lets say you had created a new share folder on VM which is part of AADDS joined and there are some NTFS permissions which is inherited by default to that folder so when you try "modifying/delete default inherited permissions" which require "Domain Administrator" or "Enterprise Administrator" access then with this scenario you may end-up in access denied due to less privileged access.

Here are some frequently asked questions (FAQs) about Azure Active Directory (AD) Domain Services

Alternatively, you could leverage Azure files and enabled Azure Active Directory Domain Services authentication which uses NTFS permissions over SMB for directories and files.

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.



image.png (92.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HansliTester-4671 avatar image
0 Votes"
HansliTester-4671 answered

Good day sir!
Thanks for your lengthy answer. I tried and failed once more. After reading your links, I am not sure anymore if this is the way I would go, seems to be a bit complicated (compared to on-premise DC). Nevertheless, I can invest 2-3 days more on the topic "cloud-only-services".
Cheers, Hansli

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.