Network Folders with NTFS Permissions
- If you need to use Network Folders and preserve NTFS permissions, it is strongly recommended to run FileCloud on Windows Servers instead of Linux.
- If you need to use NTFS permissions, please make sure the user accounts are authenticated with Active Directory. Users with default authentication can't leverage NTFS permissions due to security issues.
- If you are running FileCloud on Linux and want to preserve NTFS Permissions, a Windows Server running the FileCloud Helper Service is required (See more information)
- Starting with FileCloud 15.0, it is recommended to install and use Memcache to improve performance when using network folders with NTFS permissions
Many organizations have Windows based Network Folders that are shared with employees. The permissions on these Network Folders are managed using NTFS rights setup for various users and groups (usually from Active Directory). FileCloud can use the same NTFS permissions on the Network Folders for user authorization and access to these resources.
To setup a network Folder with NTFS permissions:
- Step 1: please set permissions type to "NTFS"
- Step 2: Click on Manage Users or Manage Groups and add users to the share as needed. For example, you might want to give EVERYONE group access to the Network Folder. In this case even if the user has been given access to the share, they will only be able to view the share if they have NTFS permissions enabled.
- Step 3: If you are running FileCloud on Linux, you might need to optionally configure and install the FIleCloud helper service
Additional Information and Troubleshooting
- When user membership in a AD group is modified, that change is not propagated immediately and is cached by Windows. As a result, if you change a user group membership, it might not be picked up NTFS helper immediately. It might take some time ranging from 10 minutes to several hours before the change is picked up. If you need the changes to be picked up immediately, you can restart the helper service.
- Make sure that don't have a local machine account name as the domain user account. This will cause problems.
- If you get authzinitializecontextfromsid errors, make sure the account running the Helper service has full permissions to look up user accounts, Also make sure the user account name is not the same as the computer name, use a different name.
FileCloud evaluates special permissions as well as standard permissions on Network Folders.
NTFS special permissions
When sharing a network folder with special permissions ensure that the options below are enabled. By enabling the options below the user will still be limited to have access
only to the folders or sub-folders the administrator allows however this grants the ability to FileCloud to read and display the needed information for that specific user.
NTFS permissions include both standard and special permissions. Standard permissions on a folder are Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. Standard file
permissions are the same, with the exception of List Folder Contents. Special permissions are considerably more granular.
For Microsoft Documentation ( https://technet.microsoft.com/en-us/library/2006.01.howitworksntfs.aspx )
NTFS Network Folders with Access Based Enumeration
When using Network Folders with NTFS permissions, it is possible to automatically hide folders that users don't have access by enabling Access Based Enumeration (ABE) settings.
To enable ABE, go to Admin Portal->Settings->Storage->Network Storage tab and enable the "Enable Access Based Enumeration for NTFS" checkbox. This will enable ABE globally.
To disable or enable ABE only for specific network folders you can open up the specific Network Folder Properties dialog. Admin Portal->Network Folders, click on "Edit" for a network folder.
Select "Global Policy" to use the global setting, or use the "NO" or "YES" options to disable or enable ABE only for this network share.
NTFS permission checks reads the tokenGroupsGlobalAndUniversal attribute of the SID specified in the call to determine the current user's group memberships. To simplify granting accounts permission to query a user's group information, add accounts that need the ability to look up group information to the Windows Authorization Access Group. Please make sure to add the Windows Authorization Access Group to the FileCloud Account Group that you have created.
Improving performance of NTFS Network Folders
In general, extracting NTFS permissions for folders and files can add additional processing latency. To improve performance, you can enable caching of NTFS permissions.
This speeds up lookup of NTFS permissions by caching the permissions once accessed once in the memcache server. For this caching to work, memcache server needs to be installed and running. By default, note that once permissions are cached, they are stored till memcache is restarted. So if you are changing any NTFS Permissions and want FileCloud to pick up the new permissions, make sure to restart the memcache service.