Setting Active Directory folder permissions on ReadyNAS OS6
Setting up Active Directory (AD) permissions allows administrators to assign access policies to secure their environment and lower their maintenance cost by having centralized management.
When you join a ReadyNAS OS6 device to an AD Domain, you are not able to use ReadyCLOUD services with NAS.
Overview
This article describes how to set up shares and sub-folders on a ReadyNAS device to achieve the equivalent Windows file server read/write permissions.
Equipment
- Windows 2008 Server
- ReadyNAS 316 unit
Scenario for This Guide
- A share on ReadyNAS OS6 unit, with sub-folders in a Windows 2008 domain.
- Within the sub-folders, both public (2014) and private (2013) directories exist.
- All members of the Domain Users group are allowed to read the public directory in each share.
- Only members of specific groups, such as SalesExecs, are allowed to read content in the private directory in the share.
- Users are forbidden to create new directories in the root of the Sales share.
Part 1. Create a Share on the ReadyNAS Unit
To create a share on the ReadyNAS unit:
1. Go to Shares -> New Folder.
2. Add the new share name.
In this example, we use Sales.
3. Make sure there is a check mark next to SMB check box.
4. Configure your continuous protection and compression if needed.
Part 2. Verify Network Access
To verify network access:
1. Verify that the Everyone user is set to Read/Write.
Change this setting if it is not.
2. Verify that Allow Anonymous access is cleared.
Part 3. Set Up Root Share Permissions From a Windows Client
Before you do anything with files or folders within the share, log in to a Windows server as the administrator account.
Use the account that was used to join the ReadyNAS OS6 device to the domain. This account is usually Administrator or Domain Admin.
To set up root share permissions from a Windows client:
1. Go to the ReadyNAS new FQDN.
For example, if the NAS is named NAS1, then open \\nas1.domain.suffix\ in Windows Explorer.
2. Right-click on the Sales share and select Properties.
3. Select Advanced on the Security tab.
4. Select Change Permissions.
5. Select Everyone and click the Edit button.
6. To disallow all of the allowed permissions, click the Clear All button and then click the OK button.
7. Add the security group Domain Users with reading-rights by allowing read, execute, and list folder-contents.
8. Click the OK button and select YES on the following prompt.
CREATOR OWNER and CREATOR GROUP are created by default also. These groups should not be modified.
Part 4. Create Your Sub-Folder Structure
You are still logged in as the domain administrator.
In our example, the folders are called Public and Protected. The goal is to let the Sales group have write-access to the two sub-folders Public and Protected within the Data folder. All other users should have read-only access to the Public folder.
To create the public folder \\NAS1.domain name.suffix\Sales\2014:
1. Right-click on the folder 2014 and select Properties.
2. On the Security tab, add the group SalesExecs and grant them Full Control.
3. Accept by clicking on the OK button.
All other permissions are inherited from the root share.
To create the protected folder \\NAS1.domain name.suffix\Sales\2013:
1. On the Security tab, add the group SalesExecs and grant them Full Control rights.
2. Now click the Advanced tab.
3. Select the security group Domain Users and select Deny all Permissions except list folder and Read Attributes on the Advanced screen.
4. Click the OK button.
5. Click the OK button again.
6. Select YES on the next prompt.
7. On the Properties screen, click the OK button.
Part 5. Test Permissions
All members of the group SalesExecs can write to both sub-folders, while all members of the group Domain Users are allowed to read the Public folder.
To test the permissions:
1. Test the Private Folder permissions.
As the administrator, transfer the Sales Archive for the Private folder to 2013. See Object name.
The permissions correctly show the Domain Users having the special read-only permssions and the Sales execs having full control.
2. Test the Public Folder permissions.
As the administrator, transfer Sales Archive Public for the Public folder to 2014.
The sharing in this example works as expected. We have full control from the parent folder.
The scenario conditions required the domain users not to access the 2013 folder.
Notes: The deny option does not work with the ReadyNAS OS6 the way you would expect it to work on a Windows Server. Once you have set up everything, always use a Windows client to modify permissions. Do not use the ReadyNAS OS6 Advanced Permissions tab to manage security and refrain from using the File Access:Reset function in the web interface.