Share permissions via GPO

Dane Briggs 206 Reputation points
2020-08-17T16:19:33.617+00:00

I have a specific requirement for a subset of servers where I have to create an identical hidden share with specific Share and NTFS permissions . I also have the additional requirement that any new servers added need to have the share automatically created. Normally I would create a powershell script to create the share with the appropriate permissions and run it as a scheduled task, however due to specific security requirements Windows Remote Management is disabled on those servers. I can create the folder, share and set the NTFS permissions via GPO but I am struggling with the best way to set the Share permissions via GPO. Any ideas?

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,600 questions
0 comments No comments
{count} votes

Accepted answer
  1. Stephanie Yu 396 Reputation points
    2020-08-20T01:48:07.41+00:00

    Hi DaneBriggs,

    Draw conclusions through my numerous queries and experimental research. Share permission can only be set on the machine that host the Share. You can set needed Share Permission directly on separate share folder or file. NTFS permissions can be managed via GPO (According to my response above, use File System setting).

    The following is the experiment process about Share Permission I did in my lab:
    In my lab. I have a domain named A.lab.
    Right-click the file, click Properties, select sharing, click the share button under Network Path, and select the object of share in the pop-up dialog box. Here I select Everyone, which means that all servers that I add to the domain will share This file.
    18925-image.png

    18938-image.png

    I add a server named VSTEPY79VM to the domain A.lab, We can see the share folder in this domain-added server.
    18939-image.png

    Hope the information above is helpful. If anything is unclear, please feel free to let us know.

    Best Regards,
    Stephanie Yu


4 additional answers

Sort by: Most helpful
  1. Joseph Patrick 641 Reputation points
    2020-08-17T21:15:08.01+00:00

    On the file server you will need to set the access based enumeration items on the shares to make them visible only to those who has rights to see them, as for the GPO mapping use the link below to guide you.

    Item Level targeting works very well

    https://blog.netwrix.com/2019/06/20/map-network-drives-or-shared-folders-using-group-policy-in-8-easy-steps/

    0 comments No comments

  2. Stephanie Yu 396 Reputation points
    2020-08-18T08:20:55.32+00:00

    Hello DaneBriggs-5625,

    Thank you for posting here.

    Here are the answer for your references

    According to the description above, you probably want to configure the GPO (we want to the GPO to set Share permissions and NTFS permissions for the existing folders) and apply the GPO to the servers.

    Based on my test, I can set NTFS permissions for the existing folders via GPO, but for configuring Share permissions on existing folders, we can set it on separate server itself.
    Usually, if we want to create GPO and apply it to users, we can do as below:

    1. Create an OU and put computers into this OU.
    2. Create a GPO and link it to OU above.
    3. Edit the GPO.
    4. Run gpupdate /force

    In my lab. I have a domain named A.lab.
    I add a server named VSTEPY79VM to the domain, create a new OU named 1 in ADUC, and move the domain-added server to 1
    18331-image.png

    Right-click in GPMC and click 1, create a GPO in this domain, here I named it W
    18282-image.png

    Right-click W, click Edit, as shown in the figure, right-click File System, select Add a file or folder, and add the folder you want to share.
    18179-image.png

    After clicking OK, the following interface will appear, and you can configure the NTFS permissions you need for it
    18332-image.png

    After the configuration is successful, you can find the share folder and have the same NTFS permissions on the server where the domain is added (eg: login to VSTEPY79VM as an administrator in my lab)
    18333-image.png

    When you add a new server to the domain, move the server to the OU where you have configured the GPO in ADUC.
    Run gpupdate /force

    You can set needed Share Permission directly on separate share folder or file. For more operations, please refer to the following article.

    Sharing Files and Folders
    http://technet.microsoft.com/en-us/library/bb457104.aspx#EDAA

    If it does not work above, in order to better troubleshoot the problem, please confirm the following information:

    1. What does your configured script look like?
    2. How did you configure this scheduled task with your PS script?
    3. Does your task run successfully on one domain-joined server ? Did you achieve the effect you wanted?

    If you can provide more information, such as script information or the process of configuring tasks, I would appreciate it.

    Hope the information above is helpful. If anything is unclear, please feel free to let us know.

    Best Regards,
    Stephanie Yu

    0 comments No comments

  3. Dane Briggs 206 Reputation points
    2020-08-19T14:26:19.897+00:00

    Thank you both for your quick response.

    I've already done all of this. My question is specifically about setting Share permissions via Group Policy. Is there a way?

    I am not using a script because of security requirements.

    0 comments No comments

  4. Jason R. Brown 1 Reputation point
    2020-09-21T15:57:59.667+00:00

    I set mine via registry entry. HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares\Security
    Secure the first share, then find it via registry and deploy this via GPO

    0 comments No comments