I want to create some network drives in this AD domain:
test.local
├── Classes
│ ├── 3A [students...]
│ ├── 3B [students...]
│ ├── ...
│ └── 6D [students...]
└── Teachers
└── [Teachers...]
student1, in class 3A for example should have access to the currents smb-shares :
3A_data: (RO for the student, RW for teachers)3A_work: (RW for everyone)
Moreover some students are parts of some groups. For example it might exist a 3CHINESE group, containing all the student learning Chinese. Theses users must have access to 3CHINESE_data, and 3CHINESE_work too.
Every user also have a personal share for his own files.
I use a quite large PowerShell script to create all this structure, creating accounts, populate every OU, creating shares and rights using AGLP, but I haven’t found an elegant solution to create all theses drives.
I tried gpo but there’s a bunch of drives to create inside the gpo and it seems only possible to create them by hand.
I’m currently trying with DFS and name based enumeration but I’m not sure it’s the right way to do this, and I’m quite new to active directory.
Is my DFS solution seems the right way to do ? how can I use it to setup all my network drive ? Is there a better solution than network drives ?
1
You may use Group Policy Management and add the required drives to User Configuration – Preferences – Windows Settings – Drive Maps.
You could either
- Set different settings as mapped drives to different GPOs and apply them to the related OU (Organizational Unit) This method requires the necessary placements were done before such as Country1OU contains students from Country1 and you apply Country1GPO to this OU which maps drives for directories under Country1Shares folder
OR
- Again create different GPOs for each country but instead of moving students to OUs, apply the policies on the very top of OU structure or even as a domain policy. But for this case you should use security filtering such as Country2GPO permissions give read and apply access to only Country2Group which contains the students from Country2. As implied above this method requires creating AD groups for each country. Only Country2Group members can apply Country2GPO and map drives for Country2Shares.
On the file shares; to apply quotas groups, file screening policies (example an audio file can not be put onto the share even it has been renamed as .pptx), reporting, etc you can use File Server Resource Manager (FSRM)
For file / folder NTFS permission stability on the file shares, you can use GPO Settings under Computer Configuration – Policies – Security Settings – Filesystem to preserve the permissions.
2