I haven't used QuickBooks in years, but, I would assume that if you removed the permission from the account then QuickBooks would stop working. Thanks for watching!
Loved the video! It was fast, but priceless. I have two questions, please. Why did you "drop" the mapped drives link Into the domain, (at 8m4s)? I do not know what this accomplished. Can you please clarify? I created the GPO links with in my security groups, for example, Admin-RW-SG or Admin-RO-SG. Also, I noticed you did not change the "Hide/Share this drive" or "Hide/Share all drives" settings (at, 7m50s) within the mapped drive wizard, but the S-drive letter still showed up in the users' explorer. When my users log into their machine, some get, "Could not map all network drives". I turned these settings to, "Show this drive" AND "Show all drives" Just curious why you didn't and why it does not matter, because you sure proved it is not needed. You also made me realize some weak links I left in my setup where I did NOT go and change the advanced rights settings, like unchecking the "Delete", "Change Permissions" and "Take Ownership" ! Thanks so much for your time and effort in sharing this. Again, this is so valuable and you "da" man!
When you create a GPO, it gets stored in the 'Group Policy Objects' folder. However, the GPO is not yet applied. You need to 'link' it to either the domain or an organisational unit. You can do this by 'dropping' the GPO over the domain or OU. Or, you can navigate to the OU and create it there and it gets linked automatically. As for the 'hide/show this drive' and 'hide/show all drives', I'm not 100% sure on when you would/wouldn't use that option. I've always just left it as 'no change' and never had any issues. If i wanted to hide or remove a drive, I would just use the delete action. Thanks for watching!
Needed this, thank you, keep going with the great help you're offering we keep going with pushing the algorithm, hopefully you make more videos, and one last thing could please when explaining how things are technically done, can you during that process explain why we do it and throw a real life exemple usage, and thank you so much in advance
I have another question which is an auto map question, is there a way to add a user to a security group that is not in the same OU? For some reason I am only able to add a user in the same security group that is in the same OU, but if its a different OU the drive will not auto map. Any help is appreciated.
If the user is not within an organisational unit that the group policy is applied to, then the user will never get the drive map even if they are a member of the security group. You will need to link the gpo to whatever the ou the user is a member of. Thanks for watching!
thanx for the video. When I trying to change owner on a folder to security group i have an error message "its impossible to assign this object type as owner. " Any user can be assigned without a problem, but not a security group. Do you have idea why?
Is this an empty folder or a folder with files/folders in it? Sounds like it could be struggling to change the owner of files/folders within the folder. You may have to search the error message online to see how to get around this. Thanks for watching!
Is there a way to modify individual permissions in a group? For example, if you have a group of 5 people under one group (John, Mary, George, Alex, Sam) there doesn't seem to be a way to edit just Alex but rather whatever changes you make applies to all 5 people. Thanks.
I would recommend making an additional security group just for Alex, and then giving that new security group whatever permissions Alex requires. I avoid giving file permissions directly to user accounts, and always use security groups, even if it's just for one user. Thanks for watching!
Thanks a lot for this helpful one, i wanna ask you about something please, If I want all new created users to have a home folder and mapped automatically whithout modifing the home folder for the new coming user everytime how can i do this?
I haven't dealt with Home Folders for a while as we migrated everyone away from them onto OneDrive. However, you should be able to setup a PowerShell script that runs on a schedule that automatically identifies any user accounts that don't have a home folder specified in the profile tab of the active directory user object, and then it automatically fills it in and points it to a file share and creates the folder with their username. Thanks for watching!
How can we possibly make that only the shared folders are seen by the specific users rather than all the shared folders(including those with restricted acces) ? I tried with access-based enumeration but sadly nothing changes.
The way you hide folders from people who don't have permission to access them is to use Access Based Enumeration, like you mentioned. I have a guide on setting this up if you want to double check your config: th-cam.com/video/_k6A8-4umPI/w-d-xo.html Thanks for watching!
Tanks for example, It`s great. had issues with permissions on Volumes/Folders Side. Now is more clear. (btw i red all comments, was also helpfull :D ) Question: the permissions must be on the Folders? Can I controll hole permissions in GPOs that is linked to some OU? (I tried and working, just with users, not Groups in Item Targeting Level...) And shared Folder is with permission Group "Everyone" and Full Controll) Tank you
Hi! Good explanation! I have a question to clarify, you set the special permission to a groups unticking delete, chown and tkown to denny users to could do these actions? I have this problem on a fileserver, everytime i check users files properties 😮💨🤦... the owner is the user and not the group as you set... sorry about my english, regards from Argentina 😉👋
The reason I changed the owners of the main folders to a security group is so no one can take ownership of that folder and change the permissions unless they are specifically allowed (by making them a member of that group or they are an domain admin or admin on the file server). It is only the main folders that need this ownership change. The files within the folder will likely show the creator of the file as the owner, and this is fine as the access permissions are provided by the folder and not the individual file. I hope this clears things up. Thanks for watching!
I set up the permissions but I'm facing an issue that the logged in user has to be the AD account who has permission to a specific shared folder. When I logged in to Windows as a local PC account, still the same PC, same network same IP address being obtained, even I used the option of different credentials to connect, I typed the AD user's credentials, It always failed to access the shared folders. Any idea?
Why are you logging into a domain joined workstation using the local account? If the user account you're entering the credentials for has permissions to access the folder, then it should work. I don't know why it wouldn't. What is the error?
@@danny_moran actually i was trying to simulate the scenario where users used their own laptop with local account only, anyway, i was not giving everyone FULL control in the first place but after following your steps, the configuration seems working fine now. Thanks a million!
Thank you so much for such informational video. I am able to implement exact same thing that you described in this video. The only bizarre thing is that Users are only able to see the drives they have permission to. E.g. HR folder is only visible to sf-hr users, tech is visible to only sf-tech users and same with accounts. How can I get the permissions to be applied in such a way that users can see all the folders but can only access the ones which they have access to. Your reply would be really appreciated. Thanks again!
Sounds like you have Access Based Enumeration setup on the file share. Have a look at this guide, just do the reverse as this is for setting up ABE: th-cam.com/video/_k6A8-4umPI/w-d-xo.html Thanks for watching!
@@danny_moran Didn't mean to alarm you. I've heard of Active directory. But I don't know how to set it up. Your file server setup shows you clicking somethings about Active Directory, like the file server only works, when Active Directory is also working.
The method in this video only works if you have a local Active Directory domain, and both the file server and client workstations connected to the domain.
Hey, thanks for the awesome tutorial. I am now trying to make the permission so that the user cannot delete the Accounts folder, but can delete all folders and files inside. If I set the "full control" for the user on the Accounts folder to "subfolders and files" and "read, write & execute" to "this folder only" the Account folder will be able to be deleted. If I set the permissions on the Account folder to "read, write & execute" to "this folder,subfolders and files" I cannot edit the name and contents of the files in the Account folder, nor can I delete the Accounts folder. Can you please help me to set such permissions? I apologize for my English, I hope the description is understandable. Thank you for your help.
If you leave the accounts folder permissions set to this folder, subfolders and files, and then give them full control but un-tick delete, this should give you the results you're after. Thanks for watching!
@@danny_moran Hello, i tried to set up the permission according to your advice, but it didn't work. I sent you video to you email address where you can see the permission setting. If you are willing to check the video and give me a hint how to set it up correctly, it would be great!
By the way at your very first step, why do you need to grant FULL CONTROL for everyone then remove the users and disable inheritance? This is where I don't understand and still very confused😅😅
thanks for the video.. Can u pls explain how to create shared folders with read and write permissions with no delete permissions. user should not have delete permissions, but should edit the data.
I show this in the video. When assigning the user permissions to the folder, if you untick the 'Delete' box under advanced permissions, then the user won't be able to delete the folder but still read and write to files within the folder. Thanks for watching!
Thank you for quick and step by step guide, I'm writing a thesis about a file server, and you helped me a lot.
Glad it helped! Thanks for watching!
Thank you for making this video on AD shares. Makes a lot of sense now seeing how you modify the permissions. Thank you!!
Thanks for watching!
Love it! Direct, to the point, simple step- by-step instructions! New Subscriber for sure!
Thanks for watching!
Greetings from germany, enjoy your videos! Straight forward to the point, problem solved in a efficient manner. Bravo!
Thanks for watching!
Hello... Juat want to ask.. User wasnt be able to save the after they edit for example in MS excel.
Does the user have modify permission on the file they are trying to edit?
This is pure gold! saved my behind today thanks!
Glad you found it useful! Thanks for watching, Oscar!
how do you have hostname ip and other information showed up on the wallpaper there? can share the gp or script to do that?
I have a guide on how to set this up: th-cam.com/video/ZnCEpFzd9VU/w-d-xo.html
Thanks for watching!
With a Quickbooks share would you leave the "QBDataServiceUser"s that are automatically generated?
I haven't used QuickBooks in years, but, I would assume that if you removed the permission from the account then QuickBooks would stop working.
Thanks for watching!
Hello! great vid, but I don't have permissions tab in folder's propeties... any idea?
The security tab is missing? I don't think I've ever seen it not be there.
Loved the video! It was fast, but priceless. I have two questions, please. Why did you "drop" the mapped drives link Into the domain, (at 8m4s)? I do not know what this accomplished. Can you please clarify? I created the GPO links with in my security groups, for example, Admin-RW-SG or Admin-RO-SG. Also, I noticed you did not change the "Hide/Share this drive" or "Hide/Share all drives" settings (at, 7m50s) within the mapped drive wizard, but the S-drive letter still showed up in the users' explorer. When my users log into their machine, some get, "Could not map all network drives". I turned these settings to, "Show this drive" AND "Show all drives" Just curious why you didn't and why it does not matter, because you sure proved it is not needed. You also made me realize some weak links I left in my setup where I did NOT go and change the advanced rights settings, like unchecking the "Delete", "Change Permissions" and "Take Ownership" ! Thanks so much for your time and effort in sharing this. Again, this is so valuable and you "da" man!
When you create a GPO, it gets stored in the 'Group Policy Objects' folder. However, the GPO is not yet applied. You need to 'link' it to either the domain or an organisational unit. You can do this by 'dropping' the GPO over the domain or OU. Or, you can navigate to the OU and create it there and it gets linked automatically.
As for the 'hide/show this drive' and 'hide/show all drives', I'm not 100% sure on when you would/wouldn't use that option. I've always just left it as 'no change' and never had any issues. If i wanted to hide or remove a drive, I would just use the delete action.
Thanks for watching!
Needed this, thank you, keep going with the great help you're offering we keep going with pushing the algorithm, hopefully you make more videos, and one last thing could please when explaining how things are technically done, can you during that process explain why we do it and throw a real life exemple usage, and thank you so much in advance
Thanks for watching and thanks for the feedback!
I have another question which is an auto map question, is there a way to add a user to a security group that is not in the same OU? For some reason I am only able to add a user in the same security group that is in the same OU, but if its a different OU the drive will not auto map. Any help is appreciated.
If the user is not within an organisational unit that the group policy is applied to, then the user will never get the drive map even if they are a member of the security group.
You will need to link the gpo to whatever the ou the user is a member of.
Thanks for watching!
hello dude what exactly did you do at 8:09 which keys did you press can you help me
I'm not sure what you mean? I just changed from my windows server virtual machine to my windows 11 virtual machine.
Thanks for watching!
THIS IS FANTASTIC 🔥
Thanks for watching!
thanx for the video. When I trying to change owner on a folder to security group i have an error message "its impossible to assign this object type as owner. " Any user can be assigned without a problem, but not a security group. Do you have idea why?
Is this an empty folder or a folder with files/folders in it?
Sounds like it could be struggling to change the owner of files/folders within the folder.
You may have to search the error message online to see how to get around this.
Thanks for watching!
Is there a way to modify individual permissions in a group? For example, if you have a group of 5 people under one group (John, Mary, George, Alex, Sam) there doesn't seem to be a way to edit just Alex but rather whatever changes you make applies to all 5 people. Thanks.
I would recommend making an additional security group just for Alex, and then giving that new security group whatever permissions Alex requires.
I avoid giving file permissions directly to user accounts, and always use security groups, even if it's just for one user.
Thanks for watching!
Thanks a lot for this helpful one, i wanna ask you about something please, If I want all new created users to have a home folder and mapped automatically whithout modifing the home folder for the new coming user everytime how can i do this?
I haven't dealt with Home Folders for a while as we migrated everyone away from them onto OneDrive.
However, you should be able to setup a PowerShell script that runs on a schedule that automatically identifies any user accounts that don't have a home folder specified in the profile tab of the active directory user object, and then it automatically fills it in and points it to a file share and creates the folder with their username.
Thanks for watching!
How can we possibly make that only the shared folders are seen by the specific users rather than all the shared folders(including those with restricted acces) ? I tried with access-based enumeration but sadly nothing changes.
The way you hide folders from people who don't have permission to access them is to use Access Based Enumeration, like you mentioned.
I have a guide on setting this up if you want to double check your config: th-cam.com/video/_k6A8-4umPI/w-d-xo.html
Thanks for watching!
Tanks for example, It`s great. had issues with permissions on Volumes/Folders Side.
Now is more clear. (btw i red all comments, was also helpfull :D )
Question: the permissions must be on the Folders? Can I controll hole permissions in GPOs that is linked to some OU? (I tried and working, just with users, not Groups in Item Targeting Level...) And shared Folder is with permission Group "Everyone" and Full Controll)
Tank you
No, you can only use group policy to map the drives.
You still need to manually set the permissions on the folder.
Thanks for watching!
Hi! Good explanation! I have a question to clarify, you set the special permission to a groups unticking delete, chown and tkown to denny users to could do these actions? I have this problem on a fileserver, everytime i check users files properties 😮💨🤦... the owner is the user and not the group as you set... sorry about my english, regards from Argentina 😉👋
The reason I changed the owners of the main folders to a security group is so no one can take ownership of that folder and change the permissions unless they are specifically allowed (by making them a member of that group or they are an domain admin or admin on the file server).
It is only the main folders that need this ownership change. The files within the folder will likely show the creator of the file as the owner, and this is fine as the access permissions are provided by the folder and not the individual file.
I hope this clears things up.
Thanks for watching!
@@danny_moran thx so much Danny! 👏👏😁✌️
awesome sharing. thanks for the effort
Thanks for watching!
I set up the permissions but I'm facing an issue that the logged in user has to be the AD account who has permission to a specific shared folder. When I logged in to Windows as a local PC account, still the same PC, same network same IP address being obtained, even I used the option of different credentials to connect, I typed the AD user's credentials, It always failed to access the shared folders. Any idea?
Why are you logging into a domain joined workstation using the local account?
If the user account you're entering the credentials for has permissions to access the folder, then it should work. I don't know why it wouldn't.
What is the error?
@@danny_moran actually i was trying to simulate the scenario where users used their own laptop with local account only, anyway, i was not giving everyone FULL control in the first place but after following your steps, the configuration seems working fine now. Thanks a million!
Glad you've managed to get it working!
Thank you so much for such informational video. I am able to implement exact same thing that you described in this video. The only bizarre thing is that Users are only able to see the drives they have permission to. E.g. HR folder is only visible to sf-hr users, tech is visible to only sf-tech users and same with accounts. How can I get the permissions to be applied in such a way that users can see all the folders but can only access the ones which they have access to. Your reply would be really appreciated. Thanks again!
Sounds like you have Access Based Enumeration setup on the file share.
Have a look at this guide, just do the reverse as this is for setting up ABE: th-cam.com/video/_k6A8-4umPI/w-d-xo.html
Thanks for watching!
Was following, but got lost in the Active Directory part. Guess I have to start off with Active Directory first.
Sorry, I'm not sure what you mean by this?
@@danny_moran Didn't mean to alarm you. I've heard of Active directory. But I don't know how to set it up. Your file server setup shows you clicking somethings about Active Directory, like the file server only works, when Active Directory is also working.
The method in this video only works if you have a local Active Directory domain, and both the file server and client workstations connected to the domain.
Thank you very much!
Thanks for watching!
Hey, thanks for the awesome tutorial. I am now trying to make the permission so that the user cannot delete the Accounts folder, but can delete all folders and files inside.
If I set the "full control" for the user on the Accounts folder to "subfolders and files" and "read, write & execute" to "this folder only" the Account folder will be able to be deleted.
If I set the permissions on the Account folder to "read, write & execute" to "this folder,subfolders and files" I cannot edit the name and contents of the files in the Account folder, nor can I delete the Accounts folder.
Can you please help me to set such permissions?
I apologize for my English, I hope the description is understandable.
Thank you for your help.
If you leave the accounts folder permissions set to this folder, subfolders and files, and then give them full control but un-tick delete, this should give you the results you're after.
Thanks for watching!
@@danny_moran Hello, i tried to set up the permission according to your advice, but it didn't work. I sent you video to you email address where you can see the permission setting. If you are willing to check the video and give me a hint how to set it up correctly, it would be great!
By the way at your very first step, why do you need to grant FULL CONTROL for everyone then remove the users and disable inheritance? This is where I don't understand and still very confused😅😅
I'm referring to setting up the Shared (parent folder)
This is so everyone can actually access the shared folder.
The permissions are then setup on the sub-folders.
Thanks for watching!
thanks for the video..
Can u pls explain how to create shared folders with read and write permissions with no delete permissions.
user should not have delete permissions, but should edit the data.
I show this in the video. When assigning the user permissions to the folder, if you untick the 'Delete' box under advanced permissions, then the user won't be able to delete the folder but still read and write to files within the folder.
Thanks for watching!
Very useful! Thanks!
Thanks for watching!
Great video. Thank you
Thanks for watching!
Thank you a bunch :)
Thanks for watching!
Thanks for watching!
thanks alot :)
Thanks for watching!
helpful
Thanks for watching!
@@danny_moran thanks for creating
Great
Thanks for watching!
Excellent!
Thanks for watching!
excelent
Thanks for watching!
God I hate Windows administration with a passion
Thanks for watching!