Windows ADS (Active Directory Service) is a supported security mode on all business-class ReadyNAS products. This allows administrators to assign access policies to secure their environment and lower their maintenance cost by having centralized management.
This article describes how to set up shares and sub-folders on a ReadyNAS server to achieve equivalent Windows file server read/write permissions.
Note: This article refers to RAIDiator 4.2 installations.
- Create a share on ReadyNAS with sub-folders in a Windows 2003 domain.
- Within the sub-folders, both public and private directories exist.
- All members of the group “Domain Users” are allowed to read the public directory in each share.
- Only members of specific groups are allowed to read content in the private directory in the share.
- Users are forbidden to create directories in the root of the share.
Step 1 : Create a share on the ReadyNAS using Frontview
- Go to the Shares->Add Shares tab.
- Add the new share name (we use “DATA” in this example).
- Untick the checkbox on “Public Access”.
Step 2 : Verify CIFS Options
- Verify that the Default Access is set to Read/write. Change it to this setting if not.
- Verify that guest access is disabled. If guest access is enabled, disable it.
Step 3 : Setup root share permissions from a Windows client.
Before you do anything with files or folders within the share, log in to a Windows client as the Administrator account (must be the account used to join ReadyNAS to the domain, usually “administrator”).
- Browse to the ReadyNAS in Explorer. e.g. If the NAS is named “NAS1″ open \\NAS1\ in Windows Explorer.
- Right click on the “DATA” share and select Properties.
- Select ADVANCED on the SECURITY tab.
- Select the security group Everyone and click EDIT.
- De-select all allowed permissions and click OK.
- Exit the ADVANCED window by selecting OK and accept the changes with YES.
- Now you can add the security group “Domain Users” with reading-rights (allow “read”, “execute”, “list folder-contents”).
- Click OK and select YES on the following prompt.
Note: Creator Group and Creator Owner get created by default also, these should not be modified.
Step 4 : Create your sub-folder structure (still as the Domain Admin).
In our example, the folders will be called “Public” and “Protected”. Our goal is to let the group “Sales” have write-access to the two sub-folders “Public” and “Protected” within the folder “DATA”. All other users should have read-only access to the folder “Public”.
Create Public Folder (“\\NAS1\DATA\Public”)
- Right-click on the folder “Public” and select Properties.
- On the SECURITY tab add the group “Sales” and grant them “Full Control”.
- Accept by selecting OK.
Note: All other permissions will be inherited from the root share.
Create Protected Folder (“\\NAS1\DATA\Protected“)
- On the SECURITY tab add the group “Sales” and grant the “Full Control” rights.
- Now click on ADVANCED.
- Select the security group “Domain Users” and edit them.
- DENY all Permissions in the ADVANCED Window and select OK.
- Select OK again.
- Select YES on the next prompt. Select OK on the Properties Window.
Step 5 : Test permissions
All members of the group “Sales” can write to both sub-folders, while all members of the group “Domain Users” are allowed to read the “Public” folder.
The sharing in this example works as expected.
Notes: The option “deny” doesn’t work with the ReadyNAS the way you would expect it to work on a Windows Server. Once you have set everything up, always use a Windows client to modify permissions. Do not use on the ReadyNAS Advanced Permissions tab to manage security, and refrain from using the Take Ownership function in FrontView.
Pubblicato 20/10/2009 08:40 PM |
Aggiornate 18/08/2015 12:42 AM