This topic describes how to use an Active Directory (AD) account to mount a Server Message Block (SMB) file system on a Windows client. This topic also describes how to use an AD account to view and edit the access control lists (ACLs) of files and directories in the SMB file system.
Prerequisites
The mount target of the SMB file system is joined to an AD domain. For more information, see Add the mount target of an SMB file system to an AD domain.
Background information
Before you join the mount target of an SMB file system to an AD domain, you can mount and use the SMB file system only as an anonymous user. After you join the mount target of the SMB file to the AD domain, you can specify whether to allow anonymous access to the file system.
- If anonymous access is still allowed, you can use an AD account to access the SMB file system based on Kerberos authentication. You can also use an Everyone account to access the SMB file system based on NT LAN Manager (NTLM) authentication.
- If anonymous access is no longer allowed, you must use an AD account to mount the SMB file system based on Kerberos authentication.
Method 1: Join a Windows client to an AD domain and mount an SMB file system on the Windows client
The following steps describe how to join a Windows client to an AD domain and mount an SMB file system on the Windows client. In this example, Windows Server 2012 is used.
Method 2: Connect a Windows client to an AD server and mount an SMB file system on the Windows client
The following steps describe how to configure a DNS server for a Windows client, connect the client to an AD server, and mount an SMB file system on the client. In this example, Windows Server 2012 is used.
Manage the ACL of the SMB file system
After you enable the ACL feature and mount the SMB file system as a user of the AD domain, you can view and edit the ACLs of files and directories by using the following methods:
- Run the mklink command to mount an SMB file system.
You can run the mklink command to create a symbolic link on a local disk of a Windows client. You can also view and edit the ACLs of files and directories.
- Use Command Prompt to create mappings for the file system.
In the preceding command,mklink /D c:\myshare \\nas-mount-target.nas.aliyuncs.com\myshare
\myshare
is the file system path to which the symbolic link points and\nas-mount-target.nas.aliyuncs.com\myshare
is the mount target of the SMB file system. - Grant common users the permission to use symbolic links.
If you use the Administrator account, skip this step.
- Search for and run secpol.msc as a system administrator.
- In the Local Security Policy window, choose . Add the specified user to the Create Symbolic Links permission group as prompted.
- Log on to the Windows client again as a common user.
- Search for and run secpol.msc as a system administrator.
- Access the SMB file system and view the ACLs of files and directories.
After a symbolic link is created, you can access the SMB file system the same way you access a subdirectory of a local disk in Windows. You can also view and edit the ACLs of files and directories.
- Use Command Prompt to create mappings for the file system.
- Use the Windows File Explorer to view and edit the ACLs of files and directories
After you create a symbolic link for the mount target of the SMB file system on a local disk of the Windows client, you can view and edit the ACLs of files and directories by using the Windows File Explorer.
- Right-click the file or directory, and then click Properties.
- In the Properties dialog box, click the Security tab, and then click Edit.
- In the Create symbolic links Permissions dialog box, click Add User or Group and enter the information as prompted.
If you need to go back to the previous directory, click the Back icon (1 in the figure) or the Up icon (2 in the figure). Do not click a section of a path in the path bar (3 in the figure).When you use the File Explorer to access the SMB file system, the SMB file system is not joined to the AD domain. If you use a network path, for example, \\nas-mount-point.nas.aliyuncs.com\myshare instead of the C:\myshare path to access the SMB file system, an error occurs. When you configure an ACL, the client cannot determine whether the mount target is joined to the AD domain. This error occurs because the Remote Procedure Call (RPC) server is unavailable.Notice If you use the Windows File Explorer to modify the permission on c:\myshare, the new permissions are not applied to the root directories of the file system. To modify the permissions on a root directory, you must run the Set-Acl cmdlet or icacls command in PowerShell. - Right-click the file or directory, and then click Properties.
- PowerShell commands
You can run the Get-Acl and Set-Acl cmdlet in PowerShell to view and edit the ACLs of files and directories in the SMB file system.
- Get-Acl
$value = Get-Acl -Path "Z:"# Set properties $value.Access
# Set properties $identity = "Administrator" $fileSystemRights = "FullControl" $type = "Allow" # Create new rule $fileSystemAccessRuleArgumentList = $identity, $fileSystemRights, $type $fileSystemAccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $fileSystemAccessRuleArgumentList # Apply new rule $value.SetAccessRule($fileSystemAccessRule) $value.Access
- Set-Acl
To run the Set-Acl command to modify the permissions, you can change the mount path without using the
mylink c:\myshare
shortcut. You can also modify the permissions of the root directory.Set-Acl $value -Path "Z:"
Notice We recommend that you configure the permissions to modify root directories immediately after the file system is created. Otherwise, you must modify subdirectories and subfiles when you run the command. This is because the permissions are inherited from the root directory to the subdirectories.
- Get-Acl
- icacls command
You can run the icacls command in Command Prompt to manage ACLs. You can run the icacls command to view and edit the ACLs of files and directories.
Example:icacls z: #Grant full control permissions to a user. icacls z: /grant <username>: (F) #Grant full control permissions to the administrator. icacls z: /grant administrator:(F) icacls z: #Revoke all permissions from a user. icacls z: /remove <username> #Revoke all permissions from all users. icacls z: /remove <username> icacls z: