Security and Permissions for Q drive shares

Procedure

Share administrators will be asked to add members of their department that require access to their folder to either a “Read” group or “RW” group.  Members added to the folder’s “Read” group will have permission to read files and subfolders from the parent folder.  Members added to the “RW” group, or read-write group, will have the ability to read and edit files and subfolders from the parent folder.  The process of adding Active Directory (AD) accounts to and removing Active Directory accounts from fileshares will be conducted by each folder’s designated Share Administrator.  The ITS Service Desk will also have the ability to make these changes.

Each folder will have three groups added to it by default.  As an example, for the fileshare listed as isi_storageadmins, the following groups will be created and added to that folder with the related permissions and security:

isi_storageadmins-Share-Admin
isi_storageadmins-Share-RW
isi_storageadmins-Share-Read

Each group has permission to the share corresponding to how they are named. A designated Active Directory account will be added to isi_storageadmins-Share-Admin group. The Share Admin has access to modify the isi_storageadmins-Share-RW and isi_storageadmins-Share-Read groups. In order to add someone to the group, use the command (from a cmd.exe window) from a Windows-based computer.

A few additional groups on the security of the isi_storageadmins share will be added by Information Technology Services to provide backup (CelBkup), provide assistance (CelAdmin), and for compliance reasons (ITSecurity).  Please DO NOT delete these groups from your fileshare.

Accessing the Windows Command (cmd.exe) window

1) Click on Start button at your computer desktop.

Step 1: Click on Start button at your computer Desktop

2) Locate “Command Prompt” under the Accessories menu.

Step 2: Locate “Command Prompt” under the Accessories Menu

3) This will initiate the following Command Window:

Step 3: This will initiate the following Command Window

Adding Active Directory (AD) account names to an Active Directory group

Using isi_storageadmins fileshare as an example, to add the Active Directory account r.pierce to the RW group, type the following: net group /domain  isi_storageadmins-Share-RW  /add  r.pierce <ENTER>

Adding AD account names to AD group

A successful addition should display the following:

Successful addition of an AD account name to AD group

Listing Active Directory account names to an Active Directory group

Using isi_storageadmins fileshare as an example, you can view the members of the RW group by typing the following: net group /domain isi_storageadmins-Share-RW <ENTER>

Listing AD account names to AD group

The output should look similar to this:

Confirmation Output - Listing AD account names to AD group

 Removing Active Directory account names from an Active Directory group

Using isi_storageadmins fileshare as an example, to delete the Active Directory account r.pierce from the RW group, type the following: net group /domain isi_storageadmins-Share-RW /delete r.pierce <ENTER>

Removing AD account names from AD group

A successful deletion should display the following:

Confirmation Output - Removing AD account names from AD group