Professional Documents
Culture Documents
235 LAB 5-2 Share & NTFS Perms 2016
235 LAB 5-2 Share & NTFS Perms 2016
Prerequisite: Before attempting this LAB, ALL previous LABs must have been successfully completed.
Attempting to perform this lab without having completed the prerequisite steps may result in a failed
system requiring re-installation of the operating system and a repeat of all prior LABs.
Purpose: In this LAB you will create a shared directory structure for authorized users in your company.
Then you will apply share-level and NTFS permissions to provide the appropriate level of access for each
employee.
Deliverable: After following the LAB instructions, answering questions where noted, and including
screen shots where requested, post this document to the IS 235 Blackboard Course Room.
Notes:
1. Perform this LAB only on the server DC1.
2. Exclude DC3, the Server Core installation, in all LABs unless the LAB explicitly calls for a change to
DC3, the Server Core. There are LABs that will be devoted to DC3 later in the class.
3. Answer the questions for DC1 VM only.
4. In answering LAB questions, use your classroom notes, the course text, the Microsoft context
help feature, and the information provided on the screen during the LAB.
5. This LAB assumes the student has reviewed the module readings and presentations and will
use those resources in the completion of this LAB.
SCENARIO
You are the network administrator of the recently created Windows Domain. You have been assigned
the task of setting up file services for your company. Now that File Services have been added to your
server, you are ready to create a corporate directory structure for the purpose of organizing and sharing
departmental and employee information. The process involves the documentation of employee roles
and resource needs, the creation of appropriate user accounts and group accounts for departments,
creation of a logical directory structure off the parent share folder, the application of SHARE and NTFS
permissions, and finally the testing of each employee’s access and denied access to company resources.
Learning Outcomes
After completing this lab, you will be able to:
1. Document user roles and resource requirements
2. Create a SHARE folder.
3. Create a company directory structure.
4. Create user and global group accounts
5. Add users to appropriate global group accounts.
6. Create and correctly use Domain Local Groups
7. Configure and apply appropriate SHARE and NTFS permissions to groups and users.
8. Verify user authorization levels to resources.
9. Create persistent drive mappings to shared server folders
Naming Conventions
Note the following naming conventions for your LAB environment.
VM Name 235<LNFI>DC1 where LNFI = your Last Name (8 chars), First Initial
235<LNFI>DC3 where DC1 = Domain Controller #1, #2, #3
235<LNFI>WS where WS = workstation
VM Configuration 235<LNFN> where LNFN = your Last Name (8 chars), First Name
Domain Name 235<LNFI>.com where LNFI = your Last Name (8 chars), First Initial
Computer Name 235<LNFI>DC1 where LNFI = your Last Name (8 chars), First Initial
235<LNFI>DC2 where DC1 = Domain Controller #1, #2, #3
235<LNFI>DC3 where WS = workstation
235<LNFI>WS
Once you have documented above the employee names, logon user names, and group
affiliations, continue with the next LAB section.
9. You may logoff and exit or continue with the next lab section.
Group Accounts
In this LAB section you will create global security groups for Accounting, Marketing, Sales, Managers
and Employees. Then you will add the employee user accounts to their appropriate groups. All user
accounts are added to the Employees Global Security Group.
1. In Server Manager, click the Tools menu and select Active Directory Users and Computers
(ADUC).
2. Right-click the Employees Organizational Unit and select New | Group from the context menu.
3. Create a new group account for each of the required groups listed above and noted on your
Employee Data Sheet.
a. Group Scope: Global
b. Group Type: Security
4. Once you have created the Five Global Security Groups, verify that they are listed in the
Employees Organizational Unit.
5. In Server Manager, click the Tools menu and select Active Directory Users and Computers
(ADUC).
6. Select the Employees Organizational Unit and double-click the group account for which you
wish to add users.
7. Select the “Members” tab and click the add button.
8. Locate and add the user accounts noted on your Employee Data Sheet for this group.
9. Repeat these steps for each group on your Employee Data Sheet.
10. Once the user accounts have been added to each group, go back an open each group’s
properties and verify the correct group membership using your Employee Data Sheet.
11. Select the “Employees” Organizational Unit and adjust the center pane if necessary so that all
global security groups and user accounts are fully visible. Take a screen shot.
Once you have all user and group accounts created, select
Screen the Employees OU and take a screen shot showing the 5
Shot global groups and 9 user accounts. Attach at the end of this
document.
12. This completes this LAB section. You may logoff or continue with the next LAB section.
NTFS Permissions
3. Assign the global group Employees NTFS Permission List Folder Contents over \SHARE
4. Verify the Administrators Group has NTFS Permission Full Control over \SHARE
5. Assign each user account, NTFS Permission MRXLRW of their folder \Userxx*
6. Assign the global group, Managers, NTFS Permission FC \Accounting, \Sales, \Marketing
7. Assign the global group, Accounting, NTFS Permission MRXLRW \Accounting
8. Assign the global group, Sales, NTFS Permission MRXLRW \Sales
9. Assign the global group, Marketing, NTFS Permission MRXLRW \Marketing
10. Assign the global group, Employees, NTFS Permission RXLRW \Common
11. Remove the “Users” group from \SHARE and all subfolders NTFS permissions (note: use
class notes to follow steps to “break inheritance”)
1. Details regarding the technical concepts behind this LAB as well as steps not fully expanded here in the LAB are covered in detail
during classroom lectures and demonstrations.
2. This LAB assumes the student has attended class, taken detailed notes on the discussions and demonstrations, and will use those
resources in the completion of this LAB.
See next page for general steps in assigning SHARE and NTFS permissions…
15. If your DC1 does not appear, double click on Network in the navigation bar and enter \\
235<LNFI>DC1 where <LNFI> is your last name first initial.
16. Attempt to access each subfolder for which UserA has access permissions and those where NO
access is should be allowed. Using the Table below, document if access is allowed (A) or denied (D)
for each folder.
17. If the user account is allowed to view the subfolders, then the NTFS permission List (L) is allowed.
18. In each folder, double-click the note.bat file to test the “read & execute”(X) NTFS permission.
a. If the NTFS permission Read & Execute is allowed, the Notepad application will launch.
19. Enter text in notepad and save the file to the folder under test to verify the “modify & write” (MW)
permission.
20. The ability to delete a file confirms “modify” (M) permissions.
21. Close and then open the file to test the “read” (R) permission.
22. For any one of your 9 user accounts, from File Explorer on the Workstation WS1, take a screen shot
of the user’s personal directory showing the text file saved in the preceding step.
For any one of your 9 user accounts, from File Explorer on the Workstation
Screen WS1, take a screen shot of the user’s personal directory showing the text
Shot file saved in the preceding step.
Attach at the end of this document.
Use the table below to document testing of user account access. Enter an “A” for allowed and a “D” for
denied in the permission box for the user account and folder. The permission codes are L= List Contents,
X=Read & Execute, W=Write, R=Read.
25. Now that you have thoroughly tested each user accounts access to their directories, continue here,
taking screen shots of your SHARE and NTFS Permissions on the folders indicated.
Share Open the SHARE properties for the 235SHARExx folder, select the
Perms Employees group and take a screen shot where the share
Screen permissions are visible for the Employees group. Attach at the end of
Shot this document.
29. On DC1, open the 235SHAREXX folder properties, on the Security tab, take a screen shot showing
the NTFS Permissions for the Employees Global Security Group.
NTFS Open the NTFS properties for the 235SHARExx folder, select the
Perms Employees group and take a screen shot where the NTFS
Screen permissions are visible for the Employees group. Attach at the end of
Shot this document.
30. On DC1, open the Accounting folder properties, on the Security tab, take a screen shot showing the
NTFS Permissions for the Accounting Global Security Group. Note that the Employees Global
Security Group should have been removed here.
Accounting Open the NTFS Security properties for the Accounting folder, select
NTFS the Accounting group and take a screen shot where the NTFS
Screen Shot permissions are visible. Attach at the end of this document.
31. On DC1, open the Common folder properties, on the Security tab, take a screen shot showing the
NTFS Permissions for the Employees Global Security Group.
Common
Open the NTFS Security properties for the Common folder, select the
NTFS
Employees group and take a screen shot where the NTFS permissions
Screen
are visible. Attach at the end of this document.
Shot
32. On DC1, open the NTFS Security properties for the PERSONAL USER folder for one of your
Employees. On the Security tab, take a screen shot showing the NTFS Permissions for that
users account.
User 1 Open the NTFS Security properties for the personal user folder, select
Screen the user account name and take a screen shot where the NTFS
Shot permissions are visible. Attach at the end of this document.
33. On DC1, open the NTFS Security properties for the PERSONAL USER folder for a second
Employee user account. On the Security tab, take a screen shot showing the NTFS
Permissions for that users account.
User 2 Open the NTFS Security properties for the 2nd personal user folder,
Screen select the user account name and take a screen shot where the NTFS
Shot permissions are visible. Attach at the end of this document.
34. On DC1, open the NTFS Security properties for the PERSONAL USER folder for a third
Employee user account. On the Security tab, take a screen shot showing the NTFS
Permissions for that users account.
User 3 Open the NTFS Security properties for the 3nd personal user folder,
Screen select the user account name and take a screen shot where the NTFS
Shot permissions are visible. Attach at the end of this document.
36. For each of the 3 employees used in the above NTFS screen shots, use their domain logon account
and logon to the workstation. Open File Explorer, locate your DC1 server on the Network, and take a
screen shot of what each of these employees sees under the 235Sharexx folder.
Users For each of the 3 employees, logon to the workstation WS1 using
1,2,3 their domain logon accounts and take a screen shot of their view of
Screen the contents of the 235ShareXX folder. Attach the 3 screen shots at
Shots the end of this document.
37. You have completed this LAB section. You may logoff or continue work on the next LAB section.
Domain User
1. Logon to the workstation WS1 using one of the domain user accounts previously created. Do not
logon as administrator.
2. Open the command prompt.
3. Enter the following command to map a persistent connection to the user’s person folder on the
server.
4. Look for the “command completed successfully” message. Note typos and re-enter the
command if necessary paying particular attention to spelling of the server and pathname.
5. Open File Explorer and view the new drive mapping to the user’s personal directory.
6. Logoff the workstation
7. Logon to the workstation WS1 using the same account for which the drive mapping was created.
8. Open File Explorer and view the new drive mapping to the user’s personal directory.
9. Take a screen shot of the user’s drive mapping in File Explorer and attach to this LAB.
Screen Take a screen shot of the user’s drive mapping in File Explorer.
Shot Attach at the end of this document.
Administrator
10. Logon to the workstation WS1 as administrator for the domain.
11. Open the command prompt selecting “Run As Administrator”
12. Enter the following command to map a connection to C: drive on the domain controller.
13. Look for the “command completed successfully” message. Note typos and re-enter the
command if necessary paying particular attention to spelling of the server and pathname.
14. Restart WS1.
15. Open File Explorer and view the new drive mapping to the domain controller’s C:\ drive through
the administrative share C$. The DC1’s administrative share for drive C: should be mapped to
the workstation’s local drive “H:”
16. Open the H: drive and view the contents of the C:\ drive on the domain controller. Note that
this is not a persistent connection which means the drive mapping will be removed on logoff.
17. Take a screen shot in File Explorer of the drive mapping for the local drive H: to DC1’s
administrative share C$. Attach to the end of this LAB.
Take a screen shot in File Explorer of the drive mapping for the local drive H:
Screen
to DC1’s administrative share C$. Attach to the end of this LAB.
Shot
Attach at the end of this document.
Optional
18. If you like, create drive mappings for other users in your company.
19. To remove a drive mapping use the following command…
20. You have completed this LAB on SHARE and NTFS Permissions.
21. Logoff the workstation and server.