- Microsoft Azure (Virtual Machines/Compute)
- Remote Desktop Connection
- Active Directory Domain Services
- Server Manager
- Windows Administrative Tools
- Active Directory Users and Computers
- Windows 10 (22H2)
- Log into Cilent-1 (normal user) and DC-1 (jane_admin) VM via Remote Desktop
- On the C:\ drive of DC-1, create "read-access", "write-access", "no-access", and "accounting" folders
- Give "Domain Users" group "Read" permission to the "read-access" folder
- Give "Domain Users" group "Read/Write" permission to the "write-access" folder
- Give "Domain Admins" group "Read/Write" permission to the "no-access" folder
- Go back to Cilent-1 VM and create a txt. file in the "write-access" folder
- Go back to DC-1 VM and create a txt.file in the "read-access" folder for other users to see
- Create a new organizational unit called "_SECURITY_GROUPS" in DC-1
- Create a new group in "_SECURITY_GROUPS" called "ACCOUNTANTS"
- Give ACCOUNTANTS Security Group "Read/Write" permissions
- Add the user in Cilent-1 to the ACCOUNTANTS Security Group
- Log into the user with ACCOUNTANTS role and observe that the permissions was applied successfully
Let's log into DC-1's VM as jane_admin.
Go to https://portal.azure.com/ and click Virtual machines.
Go back to virtual machines in your Azure portal and click DC-1.
Copy DC-1 public IP address.
Open Remote Desktop, paste DC-1's public IP address, and click "connect".
type "jane_admin" and "Password1" in the username and password box respectively, and click "Ok".
Click "Yes".
Go back to your Azure virtual machine and click Client-1
Copy Client-1 public IP address.
Open Remote Desktop, paste Client-1's public IP address, and click "connect".
We will connect to Client-1 VM as a random user from our domain.
First, go back to DC-1, click the Start Menu, collapse "Windows Administrative Tools", and click "Active Directory Users and Computers".
In "Active Directory Users and Computers", click "mydomain.com" and collapse it. collapse "_EMPLOEES", double-click on any random user, click "Account", and copy that user's username as shown in the image above.
Go back to Client-1 VM, click "More choices" > "Use a different account". Paste the random username in the "username box", and type "Password1" in the password box, then click "OK".
Click "Yes" at the prompt
You should be connecting to the user's account, as shown in the image above.
On C:\ drive of DC-1, we will create "read-access", "write-access", "no-access", and "accounting" folders
Click the Start Menu, and then click File Explorer.
Click "This PC", and double-click "Windows (C):".
On the C:\ drive, right-click on an empty space and click "New" > "Folder".
Name the folder "read-access". Do the same for "write-access", "no-access", and "accounting".
You should have the following folders shown in the image above.
Next, we will give the "Domain Users" group permission to access the newly created folders.
Right-click the "read-access" folder and click "Properties".
Click "Sharing" > "Share", type "domain users" in the box, click "Add", and click "Share". Domain Users now have "Read" permission to the "read-access" folder. Click "Done" > "Close".
Right-click the "write-access" folder and go to "Properties". Click "Sharing" > "Share", type "domain users" in the box, and click "Add". Select "Read/Write" for the permission level and click "Share".
Click "Done" > "Close".
Right-click the "no-access" folder and go to "Properties". Click "Sharing" > "Share", type "domain admins" in the box, and click "Add". Select "Read/Write" for the permission level and click "Share".
Click "Done" > "Close".
Go back to Client-1 VM and open Filer Explorer. Navigate to the share folders by typing "\dc-1" on the search bar, as shown in the image above.
Double-click the "no-access" folder.
We got an error message because only Domain Admins have access to the folder.
Double-click the "read-access" folder and you will notice that we can access it
Let's create a file in the "read-access" folder and see what happens.
Right-click on an empty space and click "New" > "Text Document".
We got an error message because we gave Domain Users on "Read" permission.
Navigate back and double-click the "write-access" folder.
Right-click on an empty space and click "New" > "Text Document".
Notice we can create a file, This is because we have "Read/Write" permission for the folder
Name the txt file "hello", and type "hi" in your Notepad.
Save the txt file by clicking "File" > "Save".
Go back to DC-1 VM and double-click the "read-access" folder.
Right-click on an empty space and click "New" > "Text Document".
Name the txt file "You can only read me", and type "hello" in your Notepad. Then save the txt file.
Go back to Client-1 VM and double-click the "read-access" folder.
Double-click the new txt file we created in DC-1. Notice that we can read it but can't create any file in the folder.
This is how file permissions work.
Let's create a new organizational unit called "_SECURITY_GROUPS" in DC-1.
Open "Active Directory Users and Computer", right-click "mydomain.com" and click "New" > "Organizational Units".
Type "_SECURITY_GROUPS" in the box and click "Ok".
As shown in the image above, we now have "_SECURITY_GROUPS" on our lists of OUs. Go ahead and double-click it.
Right-click on an empty space and click "New" > "Group".
Type "ACCOUNTANTS" and click "Ok".
Open File Explorer and click "Wndows (C:)". Right-click the "accounting" folder and click "Properties".
Click "Sharing" > "Share", type "ACCOUNTANTS" in the box and click "Add". Select "Read/Write" for Permission Level and click "Share". Click "Done" > "Close".
Next, we will Add the user (bibag.pidet) in Cilent-1 to the ACCOUNTANTS Security Group.
Double-click "ACCOUNTANTS" and click "Members" > "Add". Type the name of the user you signed into in Client-1 VM, and click "Check Names" > "Ok" > "Apply" > "Ok".
Minimize DC-1 VM.
Log out of Client-1 VM. Permissions will only apply to the user after we log out and log back in.
Open Command Prompt and run the command "logoff".
Log back into Client-1 VM with the user you picked via Remote Desktop.
Type "run" in the search box and click "Open".
Type "\dc-1" and click "Ok".
Double-click the "accounting" folder. Notice we can access the folder
The permissions were successfully applied.