0

Need help granting permissions to a local Windows group for a folder on an NTFS drive on a Windows Server 2019 server joined to an AD domain.

I have successfully configured that for a domain group, but need help to get the local group to work:

Test setup: two security groups: one in AD ("adgroup") and one local Windows group ("localgroup") and added the same AD user (lets call him "testuser") to both groups.

Then I created a new folder, lets call it D:\MyFolder.

This works: If I grant read permissions on MyFolder to adgroup, testuser can access the folder just fine.

This doens't work: If I grant read permissions on MyFolder to localgroup, testuser can't access the folder. Full control also does not work. However checking the effective permissions on MyFolder shows that testuser has indeed full access.

How to get this to work with local groups?

Improve this question
4
  • Has the users logged off and on again? Group membership only catches during login.
    – Zac67
    Commented Jan 12 at 14:43
  • Yes, i did several log off log on cycles. As i said, it works perfectly fine using the AD group.
    – mathias barresi
    Commented Jan 12 at 14:52
  • 1
    It does work with local groups. You should include the output of whoami /groups when logged on with the domain account on the server with the folder. If you are not logging on locally but accessing it using a share, you should specify that and the details.
    – Greg Askew
    Commented Jan 12 at 14:58
  • Why are you using local machine groups?
    – Turdie
    Commented Jan 17 at 18:59

1 Answer 1

Reset to default
1

I would try to avoid local machine groups when dealing with NFTS permissions. You might be confused with Domain local groups which are sometimes also called local groups. If you really need to use a local machine group you can make the global group a member of the local machine group.

A common principle to remember is ADGLP. User and computer accounts are members account group which are a member of global groups that represent business roles, the global groups are members of ad domain local groups that describe resource permissions or user rights assignments

Here is an general PowerShell script example of creating an ADGLP group using PowerShell.

# Define business roles
$accountingRole = "Accounting"
$readersRole = "Readers"
$folderAccessRole = "FolderAccess"

# Define group names based on business roles
$accountGroupName = "AG_$accountingRole"
$globalGroupName = "GG_$readersRole"
$domainLocalGroupName = "DL_$folderAccessRole"

# Create Active Directory groups
New-ADGroup -Name $accountGroupName -GroupScope Global -GroupCategory Security
New-ADGroup -Name $globalGroupName -GroupScope Global -GroupCategory Security
New-ADGroup -Name $domainLocalGroupName -GroupScope DomainLocal -GroupCategory Security

# Add the global group to the accounts group
Add-ADGroupMember -Identity $accountGroupName -Members $globalGroupName

# Add user accounts to the global group
Add-ADGroupMember -Identity $globalGroupName -Members "User1", "User2"

# Get the folder path
$folderPath = "C:\Path\To\Your\Folder"

# Get the folder's ACL (Access Control List)
$acl = Get-Acl -Path $folderPath

# Create a read permission for the domain local group
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Domain\$domainLocalGroupName", "Read", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)

# Apply the modified ACL to the folder
Set-Acl -Path $folderPath -AclObject $acl

Please remember to test this script first and change the values to your environment.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .