This topic describes how to use Windows access-based enumeration to hide or show folders on CSG shares based on user permissions.
- You have created an SMB share and enabled Windows access-based enumeration. For more information, see Enable Windows access-based enumeration.
- You have created a Windows-based ECS instance to serve as the client. The ECS instance and CSG instance are deployed in the same VPC network. For more information, see Create an ECS instance.
- You have created the following domain users on the domain controller: Administrator, user1, and user2.
In a Windows file system, files and folders are visible to users by default, even if the users have no permissions on the files and folders. After Windows access-based enumeration is enabled on a CSG instance, shares mounted to a client show files and folders based on the user permissions.
This example uses an ECS instance that runs the Windows Server 2012 R2 Datacenter operating system.
Add user permissions
- Log on to the CSG console.
- Select the region where the target file gateway is deployed. On the Gateway Clusters page, find and click the target file gateway.
- In the left-side navigation pane, click Share. Find the target share and click Set in the Actions column.
- In the SMB Share Setting dialog box that appears, add Administrator, user1, and user2 to the Read/Write Users list.
- Click OK.
Mount the share and set folder permissions.
- Log on to the ECS instance that runs a Windows operating system.
- Open the This PC window and select Map network drive.
- Select a driver, enter the mount point of the gateway in the Folder field, and then click OK.
To query the mount point, find the target gateway in the Cloud Storage Gateway console and navigate to the Share page.
- In the Windows Security dialog box, enter the username Administrator and the password, and click OK.
When you enter the username, add the AD domain name before the username. Format: <AD domain name>\Administrator.
- Open the mounted share and create two new folders: user1 and user2.
- Right-click the user1 folder and select Properties. In the dialog box that appears, click the Security tab.
- Perform the following steps to set the permissions of user1. Allow only Administrator and user1 to manage the file.
- Click Advanced. On the Permissions tab, click Disable inheritance. Remove the permissions of Everyone and Domain Users. Click Apply and then click OK.
- Click Edit. In the Permissions dialog box that appears, click Add, enter user1, and then click Check Names.
- In the Windows Security dialog box, enter user1 and the password, and then click OK.
When you enter a username, add the AD domain name before the username. Format: <AD domain name>\user1.
- Follow step 7 to set the permissions of user2. Allow only Administrator and user2 to manage the file.
Verify the functions of Windows access-based enumeration
- Open This PC and right-click the mounted share. Click Disconnect.
- Refresh the system and follow steps 2 and 3 described in Mount the share and set folder permissions. to mount a share.
- Use user1, user2, and Administrator to connect to and access the mounted share.
- Only the user1 folder is visible to user1.
- Only the user2 folder is visible to user2.
- Both the user1 and user2 folders are visible to Administrator.
The results show that you can use Windows access-based enumeration to hide or show folders on mounted shares based on user permissions.