IS 235 Windows Server Administration

LAB 5-2 Share + NTFS Permissions

LAB 5-2 Share + NTFS Permissions Summary

LAB 5-2-1 Document user roles and resource requirements
LAB 5-2-2 Create the corporate directory
LAB 5-2-3 Create an Organizational Unit
LAB 5-2-4 Create User and Group Accounts
LAB 5-2-5 Assign SHARE and NTFS Permissions
LAB 5-2-6 Testing User Account Access
LAB 5-2-7 Create Drive Mappings from Command Line

Prerequisite: Before attempting this LAB, ALL previous LABs must have been successfully completed.
Attempting to perform this lab without having completed the prerequisite steps may result in a failed
system requiring re-installation of the operating system and a repeat of all prior LABs.

Purpose: In this LAB you will create a shared directory structure for authorized users in your company.
Then you will apply share-level and NTFS permissions to provide the appropriate level of access for each
employee.

Deliverable: After following the LAB instructions, answering questions where noted, and including
screen shots where requested, post this document to the IS 235 Blackboard Course Room.

Notes:
1. Perform this LAB only on the server DC1.
2. Exclude DC3, the Server Core installation, in all LABs unless the LAB explicitly calls for a change to
DC3, the Server Core. There are LABs that will be devoted to DC3 later in the class.
3. Answer the questions for DC1 VM only.
4. In answering LAB questions, use your classroom notes, the course text, the Microsoft context
help feature, and the information provided on the screen during the LAB.
5. This LAB assumes the student has reviewed the module readings and presentations and will
use those resources in the completion of this LAB.

SCENARIO
You are the network administrator of the recently created Windows Domain. You have been assigned
the task of setting up file services for your company. Now that File Services have been added to your
server, you are ready to create a corporate directory structure for the purpose of organizing and sharing
departmental and employee information. The process involves the documentation of employee roles
and resource needs, the creation of appropriate user accounts and group accounts for departments,
creation of a logical directory structure off the parent share folder, the application of SHARE and NTFS
permissions, and finally the testing of each employee’s access and denied access to company resources.

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 1 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

Learning Outcomes
After completing this lab, you will be able to:
1. Document user roles and resource requirements
2. Create a SHARE folder.
3. Create a company directory structure.
4. Create user and global group accounts
5. Add users to appropriate global group accounts.
6. Create and correctly use Domain Local Groups
7. Configure and apply appropriate SHARE and NTFS permissions to groups and users.
8. Verify user authorization levels to resources.
9. Create persistent drive mappings to shared server folders

Before You Begin

You must have completed all prior LABs before attempting this series of LABs.. Complete the
following “Before You Begin” steps prior to starting the LAB.

Before You Begin

Logon to the Stevenson University Virtual LAB Environment
1. Enter http://vAcademy.stevenson.edu in your browser address bar.
2. Click on your course link.
3. Logon to your VLAB course.
4. Click on the My Cloud workspace button.

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 2 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

Naming Conventions
Note the following naming conventions for your LAB environment.

VM Name 235<LNFI>DC1 where LNFI = your Last Name (8 chars), First Initial
235<LNFI>DC3 where DC1 = Domain Controller #1, #2, #3
235<LNFI>WS where WS = workstation
VM Configuration 235<LNFN> where LNFN = your Last Name (8 chars), First Name
Domain Name 235<LNFI>.com where LNFI = your Last Name (8 chars), First Initial
Computer Name 235<LNFI>DC1 where LNFI = your Last Name (8 chars), First Initial
235<LNFI>DC2 where DC1 = Domain Controller #1, #2, #3
235<LNFI>DC3 where WS = workstation
235<LNFI>WS

VM & Computer Naming Convention

*Note: 15-character limit on VM name length therefore some students will need to truncate their Last
Name (8 chars), and first initial to 9 characters. EXAMPLE: George Washington 235WashingtGSV1

IS 235 VLAB Network Infrastructure Configuration

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 3 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

LAB 5-2 SHARE + NTFS Permissions

Overview: The following are the general steps in creating and sharing a corporate directory structure
and protecting it with NTFS permissions. Review these general steps to get an overview of the entire
process.
1. Document the directory structure and identify by name each employee in the company along
with their department affiliation.
2. Create user accounts for each employee and group accounts for each department using Active
Directory Users and Computers.
3. Create the directory structure using File Explorer.
4. Using File Explorer or the Provision a Share Wizard, share out the SHARE folder used as a
gateway to the corporate directory.
5. Assign the appropriate SHARE and NTFS permissions at each directory level.
6. Test permission assignment by logging in as each user from a workstation, using File Explorer to
test access to the required folders and denied access to those restricted. Both tests are
important.
Precautions: None

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 4 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

LAB 5-2-1 Document user roles and resource requirements

Instructions:
Your company currently has 9 new employees. Three of these employees are members of the
Accounting Department, three are members of the Marketing Department, and three are members of
the Sales Department. One new member in each department is a Manager. Each Manager is a member
of the Manager group. All are members of the Employees group. As Network Admin, you have
established a user logon name convention of <Last Name><First initial>. Your task is to document here
the names, user logon names, and group affiliations for each of the new 9 employees. Complete this
Employee Data Sheet below and submit with LAB.
Notes:
1. Follow the instructions above explicitly
2. Create your own 9 employee names
3. Possible group assignments: Mangers, Accounting, Sales, Marketing, Employees
4. Managers should be assigned to the Manger group + their departmental group
5. Other employees are only assigned to their departmental group
6. EXAMPLE: Jane Smith, SmithJ, Accounting, Manager
7. All employees assigned to the Employees group
8. You will need this information in LAB 5-2-5

Full Name User Login Name Group Group Group

1 Flistifer Flynn FlynnF Employees Accounting

2 Jaymes Flintwick FlintwickJ Employees Sales

3 Pierre Cashburn CashburnP Employees Marketing Manager

4 Crawford Lawson LawsonC Employees Marketing

5 Jank Potenko PotenkoJ Employees Accounting

6 Shane Pizza PizzaS Employees Accounting Manager

7 John Warhammer WarhammerJ Employees Sales Manager

8 John Johnson JohnsonJ Employees Marketing

9 Huckleberry Barnes BarnesH Employees Sales

Once you have documented above the employee names, logon user names, and group
affiliations, continue with the next LAB section.

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 5 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

LAB 5-2-2 Create the corporate directory

1. Logon to DC1 as the built-in Administrator of the forest root domain. Your username will be
Administrator. Use the password that your instructor has assigned to you. The Server Manager
window will be displayed automatically. Expand the Server Manager window to fit the full
screen, if necessary.
2. On server DC1, open File Explorer and locate the SHARE folder created in the prior LAB.
3. If you determine that the SHARE folder does not exist, then return to LAB 5-1 and complete that
LAB.
4. Review the sample directory structure in the below diagram.
5. In File Explorer, Open your
235SHARE<lastInitial><FirstInitial> folder and select
New Folder at the top or right-click and select NEW |
FOLDER. Enter a folder name using your employee
data sheet to create the directory structure in Fig 1.
Repeat the process to create your corporate
directory.
6. NOTE: REPLACE USER1… WITH YOUR EMPLOYEE’S
NAME USING LAST NAME FIRST INITIAL convention.
7. When you are finished, you should have 9 user
folders, 3 department folders, and 1 Common folder
as indicated Fig 1.
8. When you have completed the creation of the Figure 1 Sample Directory Structure
corporate directory structure, take a screen shot and
attach to the end of this document.

Once you have completed the directory structure, take a

Screen
screen shot showing the share + department and user folders
Shot
and attach at the end of this document.

9. You may logoff and exit or continue with the next lab section.

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 6 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

LAB 5-2-3 Create an Organizational Unit

In Active Directory Domain Services, Organizational Units serve as containers that logically organize AD
objects. You will create an OU (Organizational Unit) named “Employees” where you will later create the
9 new user accounts.
Note that although they can have the same name, OUs are not the same as Global Security Groups.
1. Logon to DC1 as the built-in Administrator of the forest root domain. Your username will be
Administrator. Use the password that your instructor
has assigned to you. The Server Manager window will be
displayed automatically. Expand the Server Manager
window to fit the full screen, if necessary.
2. In Server Manager, click the Tools menu and select
Active Directory Users and Computers (ADUC).
3. Right-click your domain node under the ADUC node and
select New | Organizational Unit from the context
menu.
4. Enter “Employees” as the OU name and click OK.
5. Verify that the new Employees Organizational Unit
appears as a node under your domain node.
6. This completes this LAB section. You may logoff or continue with the next LAB section.

LAB 5-2-4 Create User and Group Accounts

Using your class notes and the Employee Data Sheet from LAB 5-2-1, create 9 new user accounts in the
Employees Organizational Unit.
User Accounts
1. Logon to DC1 as the built-in Administrator of the forest root domain. Your username will be
Administrator. Use the password that your instructor has assigned to you. The Server Manager
window will be displayed automatically. Expand the Server Manager window to fit the full
screen, if necessary.
2. In Server Manager, click the Tools menu and select Active Directory Users and Computers
(ADUC).
3. Right-click the Employees Organizational Unit and select New | User from the context menu.
4. Create a new user account for each of your 9 new employees using the information from your
Employee Data Sheet.
a. User logon name convention is <Last Name><First Initial>.
b. Use the same password for all accounts: 235P@$$w0rd
c. Uncheck “User must change password at next logon”
d. Check “Password Never Expires”
5. Verify that the 9 new user accounts appear in the Employees Organizational Unit.

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 7 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

Group Accounts
In this LAB section you will create global security groups for Accounting, Marketing, Sales, Managers
and Employees. Then you will add the employee user accounts to their appropriate groups. All user
accounts are added to the Employees Global Security Group.
1. In Server Manager, click the Tools menu and select Active Directory Users and Computers
(ADUC).
2. Right-click the Employees Organizational Unit and select New | Group from the context menu.
3. Create a new group account for each of the required groups listed above and noted on your
Employee Data Sheet.
a. Group Scope: Global
b. Group Type: Security
4. Once you have created the Five Global Security Groups, verify that they are listed in the
Employees Organizational Unit.

Adding Members to Global Security Groups

At this time, you should have 9 new user accounts and 5 new global security groups all located in the
Employees Organizational Unit. Verify this before proceeding. Using your Employee Data Sheet, add
each of your user accounts to the appropriate global group: Accounting, Marketing Managers, Sales, and
Employees. After completing this LAB section, you should have user accounts distributed as follows.
a. all users in the Employees global group
b. 3 employees in each of the departmental groups
c. 1 employee from each group in the Managers group

5. In Server Manager, click the Tools menu and select Active Directory Users and Computers
(ADUC).
6. Select the Employees Organizational Unit and double-click the group account for which you
wish to add users.
7. Select the “Members” tab and click the add button.
8. Locate and add the user accounts noted on your Employee Data Sheet for this group.
9. Repeat these steps for each group on your Employee Data Sheet.
10. Once the user accounts have been added to each group, go back an open each group’s
properties and verify the correct group membership using your Employee Data Sheet.
11. Select the “Employees” Organizational Unit and adjust the center pane if necessary so that all
global security groups and user accounts are fully visible. Take a screen shot.

Once you have all user and group accounts created, select
Screen the Employees OU and take a screen shot showing the 5
Shot global groups and 9 user accounts. Attach at the end of this
document.

Open the members tab on the properties for the Accounting,

Screen
Managers, and Employees global groups and take a screen
Shot
shot of each. Attach at the end of this document.

12. This completes this LAB section. You may logoff or continue with the next LAB section.

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 8 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

LAB 5-2-5 Assign SHARE and NTFS Permissions

In this LAB you will assign SHARE and NTFS permission at each level of the corporate directory. This
procedure will establish access authorization levels for each user account according to their group
membership. SHARE permissions are less granular than NTFS permissions. SHARE permissions are
applied on the network side of the SHARE folder whereas NTFS permissions are applied on the machine
side of the SHARE and at each level of the directory structure. Use your “Employee Data Sheet”,
classroom notes, the course text, and the Microsoft context help feature to perform these steps.
Note the following NTFS permission codes:
M= Modify, RX = Read & Execute, L = List Folder Contents, R = Read, W = Write
Assign the following SHARE and NTFS permissions to the appropriate global group for the shared
resource. *UserXX refers to employee user accounts 01 – 09.

Assigning Share Permissions

1. Assign the global group Employees & Administrators, Share Permission Full Control over \
SHARE
2. Remove the “Everyone” group from the share permissions on \SHARE

NTFS Permissions
3. Assign the global group Employees NTFS Permission List Folder Contents over \SHARE
4. Verify the Administrators Group has NTFS Permission Full Control over \SHARE
5. Assign each user account, NTFS Permission MRXLRW of their folder \Userxx*
6. Assign the global group, Managers, NTFS Permission FC \Accounting, \Sales, \Marketing
7. Assign the global group, Accounting, NTFS Permission MRXLRW \Accounting
8. Assign the global group, Sales, NTFS Permission MRXLRW \Sales
9. Assign the global group, Marketing, NTFS Permission MRXLRW \Marketing
10. Assign the global group, Employees, NTFS Permission RXLRW \Common
11. Remove the “Users” group from \SHARE and all subfolders NTFS permissions (note: use
class notes to follow steps to “break inheritance”)

Summary of 1-11 Above:

Global Group NTFS Permissions Folder(s)
Employees List Folder Contents \SHARE
Administrators Full Control \SHARE
User Accounts MRXLRW \SHARE\Userxx
Managers Full Control \Accounting, \Sales, \Marketing
Accounting MRXLRW \Accounting
Marketing MRXLRW \Marketing
Sales MRXLRW \Sales
Employees RXLRW \Common

1. Details regarding the technical concepts behind this LAB as well as steps not fully expanded here in the LAB are covered in detail
during classroom lectures and demonstrations.
2. This LAB assumes the student has attended class, taken detailed notes on the discussions and demonstrations, and will use those
resources in the completion of this LAB.

See next page for general steps in assigning SHARE and NTFS permissions…

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 9 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

General Steps in Assigning Permissions

Assigning SHARE Permissions to 235Sharexx (** From File Explorer**)
 Right-click 235Sharexx | Properties | Sharing | Advanced Sharing | Share this
folder | Permissions | Add Employees Full Control
 Remove Global Group Everyone
Assigning NTFS Permissions to 235Sharexx
 Right-click 235Sharexx | Properties | Security | Edit | Add Employees NTFS List
Remove Global Group Users from NTFS Permissions (Break Inheritance)
 Right-click 235Sharexx | Properties | Security | Advanced | Permissions TAB |
Disable inheritance | Convert Inherited Permissions… | Remove both User
principals | Click OK | Click OK
Assigning NTFS Permissions to User XX Folder
 Right-click UserXX | Properties | Security | Edit | Add User XX NTFS Full Control
 Remove Global Group Employees from NTFS Permissions (Break Inheritance)
o Security TAB | Advanced | Permissions TAB | Disable inheritance |
Convert Inherited Permissions… | Remove Employees principals | Click
Apply | Click OK
Assigning NTFS Permissions to Department Folders
 Right-click Department FLDR | Properties | Security | Edit | Add Dept Global
Group NTFS MRXLRW
 Add Managers to Department Folders
o Security TAB | Edit | Add Managers Global Group NTFS Full Control
 Remove Global Group Employees from NTFS Permissions (Break Inheritance)
o Security TAB | Advanced | Permissions TAB | Disable inheritance |
Convert Inherited Permissions… | Remove Employees principals | Click OK
| Click OK
Assigning NTFS Permissions to Common Folder
 Right-click Common | Properties | Security | Edit | Add Employees Global Group
NTFS RXLRW

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 10 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

LAB 5-2-6 Testing User Account Access

As the network administrator for your company, you are ultimately responsible for securing company
resources on the network. Employees must be allowed to access needed resources to do their job
however, they must not be allowed access to resources sensitive in nature or where they do not have a
need to know. With this serious responsibility you always want to verify the levels of authorization you
assign through share and NTFS perms. Follow the steps below to thoroughly test account access before
turning the accounts on for use by your users.

Testing Preparation - Create a batch file

1. Logon to the Domain Controller DC1 as Administrator
2. In the search bar on the taskbar, enter: notepad
3. Enter the following in the notepad file substituting your DC1 Server Name for the instructors:

4. Note that “dp0” is d p zero.

5. Save the file as: “Note.bat” (including quotes) in each of the subfolders under \SHARE
a. Note: omitting the quotes will result in a file named note.bat.txt
b. The file must be named note.bat
c. This batch file will be used to verify NTFS permission Read & Execute
d. In order to see the .bat extension, you may need to configure File Explorer to “Show Hidden
files”, “Show File Extensions” and “Show system files”. See video clip on Blackboard if
necessary.
Preparing the Workstation WS1 - Turn ON Network Discovery & Turn OFF User Account Control
6. Logon to the workstation WS1 using the domain Administrator account
7. Turn on Network Discovery
a. Open Control Panel
b. Search for “Network and Sharing Center”
c. Click “Change Advanced Sharing Settings”
d. Click “Turn On Network Discovery” and SAVE CHANGES
e. Open File Explorer, select Network, and if necessary enter your DC1 UNC name in the
Address bar. Example: \\235SnyderkDC1
8. Turn OFF User Account Control
9. In the Search box enter: msconfig.exe
10. Click on the Tools tab, select Change UAC Settings and click the Launch button.
11. Drag the UAC slide control to the Never Notify position and click OK
12. Restart the Workstation WS1

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 11 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

Testing Each User Account in the Employees OU

Refer to the table listing each user account and group membership (Employee Data Sheet).
12. Logon to the workstation WS1 using each account, documenting each user account test below.
13. Using File Explorer, test each account for access and denial on each folder
14. For example: When logged on to the Workstation as UserA, open File Explorer, click on the Network
icon, click on your DC1 Domain Controller’s icon, and then click on the SHARE folder.

15. If your DC1 does not appear, double click on Network in the navigation bar and enter \\
235<LNFI>DC1 where <LNFI> is your last name first initial.

16. Attempt to access each subfolder for which UserA has access permissions and those where NO
access is should be allowed. Using the Table below, document if access is allowed (A) or denied (D)
for each folder.
17. If the user account is allowed to view the subfolders, then the NTFS permission List (L) is allowed.
18. In each folder, double-click the note.bat file to test the “read & execute”(X) NTFS permission.
a. If the NTFS permission Read & Execute is allowed, the Notepad application will launch.
19. Enter text in notepad and save the file to the folder under test to verify the “modify & write” (MW)
permission.
20. The ability to delete a file confirms “modify” (M) permissions.
21. Close and then open the file to test the “read” (R) permission.
22. For any one of your 9 user accounts, from File Explorer on the Workstation WS1, take a screen shot
of the user’s personal directory showing the text file saved in the preceding step.

For any one of your 9 user accounts, from File Explorer on the Workstation
Screen WS1, take a screen shot of the user’s personal directory showing the text
Shot file saved in the preceding step.
Attach at the end of this document.

23. Record the results in the table below.

24. Perform these account access tests for each of the 9 user accounts.

Use the table below to document testing of user account access. Enter an “A” for allowed and a “D” for
denied in the permission box for the user account and folder. The permission codes are L= List Contents,
X=Read & Execute, W=Write, R=Read.

User Account Accounting Marketing Sales Common User Folder

L X R W L X R W L X R W L X R W L X R W
FlynnF A A A A D D D D D D D D A A A A A A A A
FlintwickJ D D D D D D D D A A A A A A A A A A A A
CashburnP A A A A A A A A A A A A A A A A A A A A
LawsonC D D D D A A A A D D D D A A A A A A A A
PotenkoJ A A A A D D D D D D D D A A A A A A A A
PizzaS A A A A A A A A A A A A A A A A A A A A
WarhammerJ A A A A A A A A A A A A A A A A A A A A
JohnsonJ D D D D A A A A D D D D A A A A A A A A
BarnesH D D D D D D D D A A A A A A A A A A A A

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 12 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

25. Now that you have thoroughly tested each user accounts access to their directories, continue here,
taking screen shots of your SHARE and NTFS Permissions on the folders indicated.

SHARE and NTFS Permissions Screen Shots

On Domain Controller DC1, using File Explorer and folder properties, take the screen shots below
showing the required permissions for each folder for the Global Security Groups and User Accounts.
26. Logon to DC1 using the built-in Administrators account.
27. Using File Explorer, open the 235SHAREXX folder properties. On the “Sharing” tab, click “Advanced
Sharing”. On the Advanced Sharing screen click the “Permissions” button.
28. Take a screen shot showing the Share Permissions for the Employees Global Security Group.

Share Open the SHARE properties for the 235SHARExx folder, select the
Perms Employees group and take a screen shot where the share
Screen permissions are visible for the Employees group. Attach at the end of
Shot this document.

29. On DC1, open the 235SHAREXX folder properties, on the Security tab, take a screen shot showing
the NTFS Permissions for the Employees Global Security Group.

NTFS Open the NTFS properties for the 235SHARExx folder, select the
Perms Employees group and take a screen shot where the NTFS
Screen permissions are visible for the Employees group. Attach at the end of
Shot this document.

30. On DC1, open the Accounting folder properties, on the Security tab, take a screen shot showing the
NTFS Permissions for the Accounting Global Security Group. Note that the Employees Global
Security Group should have been removed here.

Accounting Open the NTFS Security properties for the Accounting folder, select
NTFS the Accounting group and take a screen shot where the NTFS
Screen Shot permissions are visible. Attach at the end of this document.

31. On DC1, open the Common folder properties, on the Security tab, take a screen shot showing the
NTFS Permissions for the Employees Global Security Group.

Common
Open the NTFS Security properties for the Common folder, select the
NTFS
Employees group and take a screen shot where the NTFS permissions
Screen
are visible. Attach at the end of this document.
Shot

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 13 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

32. On DC1, open the NTFS Security properties for the PERSONAL USER folder for one of your
Employees. On the Security tab, take a screen shot showing the NTFS Permissions for that
users account.

User 1 Open the NTFS Security properties for the personal user folder, select
Screen the user account name and take a screen shot where the NTFS
Shot permissions are visible. Attach at the end of this document.

33. On DC1, open the NTFS Security properties for the PERSONAL USER folder for a second
Employee user account. On the Security tab, take a screen shot showing the NTFS
Permissions for that users account.

User 2 Open the NTFS Security properties for the 2nd personal user folder,
Screen select the user account name and take a screen shot where the NTFS
Shot permissions are visible. Attach at the end of this document.

34. On DC1, open the NTFS Security properties for the PERSONAL USER folder for a third
Employee user account. On the Security tab, take a screen shot showing the NTFS
Permissions for that users account.

User 3 Open the NTFS Security properties for the 3nd personal user folder,
Screen select the user account name and take a screen shot where the NTFS
Shot permissions are visible. Attach at the end of this document.

Enable Access Based Enumeration

35. To prevent your employee’s view of the 235ShareXX from showing ALL folders, you will need to
enable Access Based Enumeration for the SHARE. That way they will only see folders for which they
have access. Go to Server Manager | File and Storage Services | Shares | Right-Click the 235ShareXX
item | Select Properties | Click Settings and check the box for Enable access-based enumeration.

36. For each of the 3 employees used in the above NTFS screen shots, use their domain logon account
and logon to the workstation. Open File Explorer, locate your DC1 server on the Network, and take a
screen shot of what each of these employees sees under the 235Sharexx folder.

Users For each of the 3 employees, logon to the workstation WS1 using
1,2,3 their domain logon accounts and take a screen shot of their view of
Screen the contents of the 235ShareXX folder. Attach the 3 screen shots at
Shots the end of this document.

37. You have completed this LAB section. You may logoff or continue work on the next LAB section.

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 14 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

LAB 5-2-7 Creating Drive Mappings from Command Line

Overview: In this LAB you will use the Net Use command to establish a persistent drive mapping for a
user account in your company.

Domain User
1. Logon to the workstation WS1 using one of the domain user accounts previously created. Do not
logon as administrator.
2. Open the command prompt.
3. Enter the following command to map a persistent connection to the user’s person folder on the
server.

net use M: \\<server name>\share\<user’s personal folder> /persistent:yes

Example: net use M: \\235SnyderKDC1\235ShareSK\SmithJ /persistent:yes

4. Look for the “command completed successfully” message. Note typos and re-enter the
command if necessary paying particular attention to spelling of the server and pathname.
5. Open File Explorer and view the new drive mapping to the user’s personal directory.
6. Logoff the workstation
7. Logon to the workstation WS1 using the same account for which the drive mapping was created.
8. Open File Explorer and view the new drive mapping to the user’s personal directory.
9. Take a screen shot of the user’s drive mapping in File Explorer and attach to this LAB.

Screen Take a screen shot of the user’s drive mapping in File Explorer.
Shot Attach at the end of this document.

Administrator
10. Logon to the workstation WS1 as administrator for the domain.
11. Open the command prompt selecting “Run As Administrator”
12. Enter the following command to map a connection to C: drive on the domain controller.

net use H: \\<server IP Address\C$

13. Look for the “command completed successfully” message. Note typos and re-enter the
command if necessary paying particular attention to spelling of the server and pathname.
14. Restart WS1.
15. Open File Explorer and view the new drive mapping to the domain controller’s C:\ drive through
the administrative share C$. The DC1’s administrative share for drive C: should be mapped to
the workstation’s local drive “H:”

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 15 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

16. Open the H: drive and view the contents of the C:\ drive on the domain controller. Note that
this is not a persistent connection which means the drive mapping will be removed on logoff.

17. Take a screen shot in File Explorer of the drive mapping for the local drive H: to DC1’s
administrative share C$. Attach to the end of this LAB.

Take a screen shot in File Explorer of the drive mapping for the local drive H:
Screen
to DC1’s administrative share C$. Attach to the end of this LAB.
Shot
Attach at the end of this document.

Optional
18. If you like, create drive mappings for other users in your company.
19. To remove a drive mapping use the following command…

Net use \\<server name>\<share path> /d #Removes this specific mapping

Net use * /d # Removes all drive mapping for this machine

20. You have completed this LAB on SHARE and NTFS Permissions.
21. Logoff the workstation and server.

Please Attach Screen Shots beyond This Point

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 16 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 17 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 18 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 19 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 20 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 21 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 22 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 23 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 24 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 25 of 26

IS 235 Windows Server Administration
LAB 5-2 Share + NTFS Permissions

Revised Tuesday, April 16, 2024 5:25:00 AM 755557691.docx Page 26 of 26