{"id":553,"date":"2025-10-28T21:14:59","date_gmt":"2025-10-28T21:14:59","guid":{"rendered":"https:\/\/carlostech.com\/?p=553"},"modified":"2026-02-25T20:27:26","modified_gmt":"2026-02-25T20:27:26","slug":"active-directory-part-3","status":"publish","type":"post","link":"https:\/\/carlostech.com\/?p=553","title":{"rendered":"Active Directory Lab 3 – GPOs, Service Accounts, Permissions"},"content":{"rendered":"\n

In our final Active Directory lab, we’ll showcase the power of GPOs and enterprise file management. We’ll set up shared network drives deployed through Group Policy, use File Server Resource Manager to control storage, configure folder permissions, implement access-based enumeration so users only see what they can access, and create service accounts to run services with limited, specific permissions.
<\/p>\n\n\n\n

\n
\n

Shared Network Drive<\/strong><\/p>\n<\/blockquote>\n<\/blockquote>\n\n\n\n

Will be mapped to all domain users using a GPO.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
    \n
  • This GPO would be under User Preference -> Windows Settings -> Drive Maps. The first thing it asks for is the location (file path<\/strong>) of this network drive. But before we jump into the GPO configuration, let me show you why using GPOs for this is critical instead of manually mapping drives<\/li>\n<\/ul>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
      \n
    • We need to know the actual hostname of the server to be able to correctly input the file path. So, in the command line we used the command \u201chostname\u201d<\/strong> on the server.<\/li>\n<\/ul>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
        \n
      • Then, in the File Explorer, right click the empty space and created a new folder named SHARED. <\/li>\n<\/ul>\n\n\n\n
        \"\"<\/figure>\n\n\n\n
          \n
        • Share the folder with the network and look at the two different kinds of permissions available directly on the folder. <\/li>\n<\/ul>\n\n\n\n
          \"\"<\/figure>\n\n\n\n
            \n
          • Notice that you can add users and groups, and configure their permissions for this folder. However, these Share permissions are extremely basic as there are only three options:\n
              \n
            • Read – view files only<\/li>\n\n\n\n
            • Change – read and modify files<\/li>\n\n\n\n
            • Full Control – complete control over the share<\/li>\n<\/ul>\n<\/li>\n\n\n\n
            • These Share permissions only apply when someone accesses the folder over the network<\/strong>. They don’t affect someone sitting at the server itself.<\/li>\n<\/ul>\n\n\n\n
              \"\"<\/figure>\n\n\n\n
                \n
              • To configure more granular permissions, you need to use NTFS permissions<\/strong> found in the Security tab. NTFS permissions:\n
                  \n
                • Apply both locally and over the network<\/strong> .<\/li>\n\n\n\n
                • Offer much more control. <\/li>\n\n\n\n
                • Can be set on individual files, not just folders.<\/li>\n\n\n\n
                • Are what you’ll use most of the time for real security.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n

                  When accessing a shared folder over the network, both<\/strong> Share and NTFS permissions apply – and the most restrictive<\/strong> permission holds priority. <\/p>\n\n\n\n

                  We shared the folder over the network and established the permissions. Peter is under the group \u201cDomain Users\u201d so he should have read rights and have access to the folder over the network. 
                  <\/p>\n\n\n\n

                  \"\"<\/figure>\n\n\n\n
                    \n
                  • As you can see, the folder does not<\/strong> automatically appear in Peter’s File Explorer. That is because sharing the folder is only making it available over the network \u2013 it isn’t pushed to users automatically. This works exactly like a public library \u2013 the book (file) is there to access but you must know where to look for it. <\/li>\n<\/ul>\n\n\n\n
                    \"\"<\/figure>\n\n\n\n
                      \n
                    • The first option you have is to manually map the drive to the user profile as shown.<\/li>\n<\/ul>\n\n\n\n

                      When mapping drives manually, you have to:<\/p>\n\n\n\n

                        \n
                      • Input the file path for every single user<\/strong>.<\/li>\n\n\n\n
                      • Visit each user’s computer (or remote in).<\/li>\n\n\n\n
                      • Make sure to check “Reconnect at sign-in”<\/strong> so the drive persists after reboot.<\/li>\n<\/ul>\n\n\n\n

                        You can clearly see how tedious and time consuming this would be to configure at mass scale \u2013 which is why utilizing Active Directory and GPOs is crucial. I disconnected the shared drive from Peter\u2019s profile to see if the GPO we’ll create now works.<\/p>\n\n\n\n

                        \"\"<\/figure>\n\n\n\n
                        \"\"<\/figure>\n\n\n\n
                          \n
                        • We created the GPO as explained before and linked it to the New York Users OU.<\/li>\n<\/ul>\n\n\n\n
                          \"\"<\/figure>\n\n\n\n
                            \n
                          • Let\u2019s sign into Peter\u2019s user profile and force update the GPO using the command line. I also checked all of the GPOs applied to Peter\u2019s user account using the \u201cgpresult \/r\u201d <\/strong>command. \n
                              \n
                            • You can see that the ‘Mapping Drive<\/strong>‘ GPO we just created was applied to his user profile. You can also see how the ‘Restrict Control Panel’<\/strong> GPO was not applied to him from our previous AD project due to security filtering. <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
                              \"\"<\/figure>\n\n\n\n
                                \n
                              • The shared drive is now mapped to Peter\u2019s File Explorer again. <\/li>\n<\/ul>\n\n\n\n

                                File Server Resource Manager<\/strong><\/p>\n\n\n\n

                                  \n
                                • Now that we have our shared folder working, we need to manage<\/strong> it properly. What if users start storing massive video files? What if someone uploads executable files that could be malicious? How do we control storage usage? The solution to all of these questions is utilizing File Server Resource Manager, which has these capabilities and more:\n
                                    \n
                                  • Set storage quotas (limit how much space users can use).<\/li>\n\n\n\n
                                  • Block certain file types (like .exe or .mp3 files).<\/li>\n\n\n\n
                                  • Generate reports on storage usage.<\/li>\n\n\n\n
                                  • Send email alerts when quotas are exceeded.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
                                    \"\"<\/figure>\n\n\n\n

                                    Our AD server doesn’t have FSRM installed by default, so let’s add it now.<\/p>\n\n\n\n

                                      \n
                                    • You should configure your server remotely as much as possible using RSAT – which is a standard security posture. However, the File Server Resource Manager Tools were not working on my remote admin computer. After some troubleshooting, I discovered that the Filer Server Resource Manager was pointing to the local machine instead of the server, and when I tried to point it to the server, the firewall on the server itself was blocking the connection.<\/li>\n<\/ul>\n\n\n\n
                                      \"\"<\/figure>\n\n\n\n
                                        \n
                                      • Here you can see me enabling the firewall rules to allow me to remotely manage the files. <\/li>\n<\/ul>\n\n\n\n
                                        \"\"<\/figure>\n\n\n\n
                                          \n
                                        • And now the service on my remote admin computer points to the actual server, so the RSAT works now. <\/li>\n<\/ul>\n\n\n\n
                                          \"\"<\/figure>\n\n\n\n
                                            \n
                                          • Using FSRM’s file screening<\/strong> feature to prevent users from uploading audio and video files to this shared folder as these media files can consume massive amounts of storage space.<\/li>\n<\/ul>\n\n\n\n
                                            \"\"<\/figure>\n\n\n\n
                                              \n
                                            • To prevent this shared folder from consuming all of our server storage, we’re going to implement a 10 GB hard quota<\/strong>. As it is a hard quota, users cannot exceed this limit. Once they reach 10GB, any additional uploads will fail. <\/li>\n\n\n\n
                                            • Once a user reaches 85% of their threshold, I will receive an email notifying me of this and I can relay this information to the user(s) for proactive management. <\/li>\n<\/ul>\n\n\n\n
                                              \"\"<\/figure>\n\n\n\n

                                              Now let’s explicitly explain the difference between Share permissions and NTFS permissions using a real example:<\/p>\n\n\n\n

                                                \n
                                              • As you can see in the image above, there’s a folder named “MARKETING.” In the Share permissions<\/strong>, only the Marketing Staff and Marketing Interns groups are listed – no other departments have access. <\/li>\n\n\n\n
                                              • The Marketing Interns group also have Full Control<\/strong> at the Share permissions level.<\/li>\n<\/ul>\n\n\n\n
                                                \"\"<\/figure>\n\n\n\n

                                                However, in the NTFS permissions, the Marketing Interns only<\/strong> have “Read”<\/strong> rights. So which permission actually applies?<\/p>\n\n\n\n

                                                  \n
                                                • The more restrictive policy always<\/strong> applies! It does not matter whether the restriction comes from Share permissions or NTFS permissions – when a user accesses a folder over the network, both<\/strong> sets of permissions are evaluated, and the most restrictive one is enforced.\n
                                                    \n
                                                  • If the folder is accessed locally, only the NTFS permissions are evaluated.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                                                  • NTFS provides much more granular control versus Share permissions and because of this, IT admins may give users full “share” permissions but actually configure the specific permissions within NTFS so the users’ permissions are not controlled by a broad scope share permission.\n
                                                      \n
                                                    • You do not want to give read and execute rights in NTFS and only read rights in share permissions, as then that “user\/group” will only have read rights.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n

                                                      Summary of Cross-Domain Permissions:<\/strong><\/p>\n\n\n\n

                                                      \u2705<\/strong> Global Groups:<\/strong> Can be used for permissions in other domains
                                                      \u274c<\/strong> Domain Local Groups:<\/strong> Cannot be used for permissions in other domains
                                                      \u2705<\/strong> Universal Groups:<\/strong> Can be used for permissions in any domain (easiest for multi-domain)<\/p>\n\n\n\n

                                                      Inheritance<\/em><\/strong><\/p>\n\n\n\n

                                                      We have a folder named “Software”<\/strong> for our IT Department on our server. The entire<\/strong> IT Department should have access and read\/write permissions on this folder. However, there is a subfolder named “Licenses”<\/strong> that only<\/strong> the IT Managers should have access to.<\/p>\n\n\n\n

                                                      \"\"<\/figure>\n\n\n\n
                                                        \n
                                                      • The dilemma: Every subfolder within a parent folder has inheritance enabled. This means that whatever permissions a user or group has on the parent folder will automatically apply to all subfolders and files within it.<\/li>\n<\/ul>\n\n\n\n
                                                        \"\"<\/figure>\n\n\n\n