How to configure Compound NTFS Permissions in Windows Server 2012

Home > Blogs > Windows Server 2012 > How to configure Compound NTFS Permissions in Windows Server 2012

How to configure Compound NTFS Permissions in Windows Server 2012

Like This Blog 4Rick Trader
Added by September 10, 2014

See our class schedule for complete Course Schedule Training.

Classes are held in Phoenix, AZ and can be attended online from anywhere in the world with RemoteLive™.

Instructor: Rick Trader

 Video Transcription:


As an Administrator, I commonly come across a situation where I have a resource out on a file server and a user happens to be a member of one, two, or even maybe multiple groups and all have access to that resource.

As an example, let’s say I have on a share on a file server Sales Reviews. It’s a folder where I’m placing all the reviews of all the employees in the Sales Department.

The only people that should have access to this folder should be the members of Management and you must be a member of the Sales Department. In other words, you have to be a Sales Manager.

In the past, in order to accomplish this task, we would have to create a group. We would need to add any member that was a member of Sales, and a member that was a member of Managers into that group to create an appropriate group.

This meant we would need to maintain, three different groups. A Managers Group, a Sales Group, and now this new group called Sales Managers that would also include the sales users.

In Windows Server 2012, one of the new features is the ability to enable a feature called Kerberos Armoring. This allows us to do Compound Permissions to the resources without actually having to use Dynamic Access Control.

Let’s get started.

First I need to go into my Active Registry structure and create a set of users that I’m going to use for this.

001-Active-Registry-compound-NTFS-Permission

In this situation Fred, myself and Wilma are my three users in the Sales Department.

Fred and Rick are just regular Sales employees. Wilma is a member of Sales and she also happens to be a Manager.

If I come into the Sales Group, you will see Rick, Fred and Wilma.

002-Active-Registry-compound-NTFS-Permission

If I come into the managers group you will only see Wilma.

003-Active-Registry-compound-NTFS-Permission

So that’s the first step.

The next step will be to enable what’s called Kerberos Armoring. I’ll bring up my Group Policy Object.

I’ve already got Group Policy launched on this machine and I have a Group Policy that I created but haven’t configured it yet, called Kerberos Armoring.

004-Kerberos Armoring-compound-NTFS-Permission

I’d want to link this Group Policy Object to the OU where I’m going to have my servers that are going to have these permissions.

I’ll come in and I’ll go ahead and Edit this Group Policy Object.

005-Kerberos Armoring-edit-compound-NTFS-Permission

The settings that we’re looking for are both Administrative Template settings.

006-Kerberos Armoring-edit-compound-NTFS-Permission

I’m going to use the Filter On feature.

007-Kerberos Armoring-edit-compound-NTFS-Permission

I filtered on just the word armor and this brought up for me two Group Policy line items.

008-Kerberos Armoring-edit-compound-NTFS-Permission

One for the KDC.

009-Kerberos Armoring-edit-compound-NTFS-Permission

This is actually going to enable claim support, which you don’t have to worry about claims in this demonstration.

010-Kerberos Armoring-edit-compound-NTFS-Permission

I’m also not worried about Arming from the standpoint of Dynamic Access Control but I want to enable Armory to support Compound Authentication. I’ll go ahead and edit it, and I’m going to enable it.

You may also like:  Configuring Internet Restrictions with Internet Communications Management with Group Policy

011-Kerberos Armoring-edit-compound-NTFS-Permission

That enables it from the Server-side and then on the Kerberos side we also have Kerberos client support for Claims Compound Authentication and Kerberos Armoring.

012-Kerberos Armoring-edit-compound-NTFS-Permission

Again I’m going to armor that, or configure that, so it’s now enabled.

Next I want to link this to the OU where the Server resides. I’m going to link this to the sales OU.

013-Kerberos Armoring-edit-compound-NTFS-Permission

014-Kerberos Armoring-edit-compound-NTFS-Permission

The next step would be to restart the computer or run a GP Update on the computer that has the Group Policy assigned to it, so it’s server 3.

015-Kerberos Armoring-edit-compound-NTFS-Permission

I’ll come into server 3 here. I’m just going to run a gpupdate /force in PowerShell.

016-powershell-gpupdate-Kerberos Armoring-edit-compound-NTFS-Permission

I have a tendency to run them twice. Now you don’t have to run them twice, this is just my own personal safety net when I run a Group Policy. This way I make sure it does get it.

017-powershell-gpupdate-Kerberos-Armoring-edit-compound-NTFS-Permission

My Group Policy had been applied. I’ll come down to my folder structure, and I already have a folder on my C drive called Sales Reviews.

018-Active-Registry-compound-NTFS-Permission

Here is the Rick Quarterly Review.

019-Active-Registry-compound-NTFS-Permission

Of course I don’t want Rick to be able read this so I will g o into the Sales Review folder and bring up the Properties.

020-Active-Registry-compound-NTFS-Permission

Look on the Security tab and look at our Default Permissions.

021-Active-Registry-compound-NTFS-Permission

We’ll see that we have anyone that’s a member of the Administrative Group users group by default have read permissions.

We want to remove the users group, so I’ll select Advanced.

022-Active-Registry-compound-NTFS-Permission

I’m going to go ahead and Disable Inheritance permissions.

023-Active-Registry-compound-NTFS-Permission

One of the changes they made instead of calling it “Add,” is now called “Convert inherited permissions into explicit permissions on this object.” I’ll select this option.

024-Active-Registry-compound-NTFS-Permission

I’ll OK then Edit, now remove the Users group.

025-Active-Registry-compound-NTFS-Permission

In a lot of organizations, it’s up to the organization to whether or not you’re going to leave the Administrators in there or not. I’m going to leave the administrators in.

Now let’s go set those complex permissions.

If I click Advanced.

026-Active-Registry-compound-NTFS-Permission

I’m going to come in, I’m going to do a “Add” permission.

027-Active-Registry-compound-NTFS-Permission

My security principle is going to be my Authenticated Users group.

028-Active-Registry-compound-NTFS-Permission

This way I ensure I catch all users are inside my Active Directory structure. I’m going to use Applies to: This folder, subfolders and files, and I’m going to do Full control.

At this point, if all I did was hit Apply, every user that’s in this domain, or from any trusted Kerberos realm, these users would have access to the folder.

029-permission-entry-Active-Registry-compound-NTFS-Permission

Here’s this is a really cool feature. If do a “add condition”. We have a User, Group, Member of each, and now I’ll Add items.

030-add-items-permission-entry-Active-Registry-compound-NTFS-Permission

I’m going to say a member of Sales. Check name, and then select OK.

031-add-items-permission-entry-Active-Registry-compound-NTFS-Permission

Now if all I did was this then I’ve now given anyone that’s a member of the Sales Department or the Sales Group permissions to this resource. It doesn’t matter where they’re coming from, they have to be a member of this group called Sales. But I want to make this compound, I’m going to add a second item, Managers.

032-add-items-permission-entry-Active-Registry-compound-NTFS-Permission

Then we’re going to hit OK, and I’m going to hit Apply.

You may also like:  Microsoft OneDrive: Removing PCs

Notice under my conditions here I now have Authenticated Users but they must be members of each Sales and Managers.

033-add-items-permission-entry-Active-Registry-compound-NTFS-Permission

Now let’s go check the Effective Access permissions.

034-effective-access-compound-NTFS-Permission

If I come in I want to select the user list and let’s select Rick. Remember Rick was just a member of Sales.

035-effective-access-compound-NTFS-Permission

Rick was not a member of the Managers Group. Check name, and it’ll come down and do Effective permissions. Notice, even though Rick was a member of Sales, but not Managers and has no access.

036-effective-access-compound-NTFS-Permission

I’ll come back over and select View effective access permissions again. This time I’ll do Fred.

037-effective-access-compound-NTFS-Permission

Remember Fred was just a member of Sales. Then check Effective permissions and still no access.

038-effective-access-compound-NTFS-Permission

Now, I’m going to go back to my Domain Controller and add one more user.

039-effective-access-compound-NTFS-Permission

I’ll only make this user as a member of the Manager’s group.

040-effective-access-compound-NTFS-Permission

Create new user, Dino, Flintstone, Dino F, you’re probably getting an idea of who one of my favorite cartoons was?

041-compound-NTFS-Permission

Set Dino’s password. Make Dino a member of just the group Managers.

042-compound-NTFS-Permission

Successfully added, go back over here to my server 3. Come back in for select a different user.

043-compound-NTFS-Permission

Let’s select Dino.

045-compound-NTFS-Permission

Select Effective permissions and notice that Dino also doesn’t have any permissions.

044-compound-NTFS-Permission

We’ve checked to verify that just a member of Sales doesn’t have permissions. Just the member of Managers doesn’t have permissions, but now let’s go check Wilma.

046-compound-NTFS-Permission

Remember Wilma was a member of both Sales and Managers. Voila! Wilma has full control of the folder.

047-compound-NTFS-Permission

We just set Compound Permissions without using the complexity of Dynamic Access Control and using things as claims.

Here’s one other thing that’s really cool.

If I return to permissions.

048-compound-NTFS-Permission

What if on this permissions in addition to them being Authenticated Users, and them being in these two groups, what if they have to be logged in from a computer that is a member of a specific group called sales computers.

049-compound-NTFS-Permission

Now I’ve just added one more level of permissions here. Not only does the user have to be a member of the sales and manager in groups, they also have to be connecting to this device or to the server from a computer that’s a member of the group called Sales.

This allows for more complexity, there is a lot of different complexities I can add.

That’s Compound Permissions. Hopefully it will make your job a little bit easier using groups. Until next time, as always, write safe.

 

Rick Trader

Windows Server Instructor – Interface Technical Training 

Phoenix, AZ

 

Videos You May Like

Agile Methodology in Project Management

0 21 0

In this video, you will gain an understanding of Agile and Scrum Master Certification terminologies and concepts to help you make better decisions in your Project Management capabilities. Whether you’re a developer looking to obtain an Agile or Scrum Master Certification, or you’re a Project Manager/Product Owner who is attempting to get your product or … Continue reading Agile Methodology in Project Management

Creating Users and Managing Passwords in Microsoft Office 365

0 30 1

In this Office 365 training video, instructor Spike Xavier demonstrates how to create users and manage passwords in Office 365.

Detailed Forensic Investigation of Malware Infections – April 21, 2015

1 79 1

In this IT Security training video, Security expert Mike Danseglio (CISSP / CEH) will perform several malware investigations including rootkits, botnets, viruses, and browser toolbars.

Write a Comment

See what people are saying...

  1. Vinessen

    Hi Dears,
    It there a way to add compound permissions via Powershell?
    Thanks and best regards,
    Vinessen

  2. Rick Trader

    Hi Sebastion,

    I missed showing in the video I moved the server into the OU that I linked the GPO. It was required so the Kerberos Client settings would support Compound Permissions.

    Seeing as the permissions are being controlled by the server and not the workstation operating system the user can be logged into virtually any operating system (I have tried and it still worked with a user logged into Windows XP).

    The KDC setting was also required to allow the server to accomplish Compound Permissions. If I were implementing Dynamic Access Control (DAC) then the KDC Setting GPO would need to be linked at the Domain Controller OU.

  3. Sebastian

    Hi,
    thanks for the great tutorial, but I have two questions:
    You configure both kerberos settings in one GPO and link it to an OU that contains only users.

    1. Shouldn’t the KDC setting be linked to a OU with all the DCs of a domain?
    2. Shouldn’t the kerberos client setting be linked to an OU with the win8/10 clients? Or the the OU with the targeted fileservers?

  4. Manny

    This is by far the best tutorial on this. I’m wondering if anyone knows about the behavior of NTFS permissions on servers running Windows Server 2012 R2 and how Domain Groups are affected? The servers are VMs running on VMWare 5.5.

    My case is as follows:
    I create a directory directly on my server’s SAN volumes and all users and groups are inherited by default to the directory. This is not yet a share, and all effective access works as expected for users and groups. As soon as I convert the directory into a share, all Domain Groups loose all effective access, with the exception of SYSTEM and one other user from a trusted domain.

    Any thoughts?

Share your thoughts...

Please fill out the comment form below to post a reply.