All Products
Search
Document Center

File Storage NAS:Mount and use an SMB file system on a Windows client as an AD domain user

Last Updated:Jun 16, 2026

This topic describes how to mount a Server Message Block (SMB) file system on a Windows client by using an Active Directory (AD) domain account. This topic also describes how to view and configure the access control lists (ACLs) of files and directories in the SMB file system by using an AD domain account.

Prerequisites

The mount target of an SMB file system is joined to an AD domain. For more information, see Add the mount target of an SMB file system to an AD domain.

Background information

Before you join the mount target of an SMB file system to an AD domain, you can mount and use the SMB file system only as an anonymous user. After you join the mount target of an SMB file system to an AD domain, you can specify whether to allow anonymous access to the SMB file system.

  • If the SMB file system still allows anonymous access, you can use an AD domain account to access the SMB file system based on Kerberos authentication. You can also use an account that belongs to the Everyone group to access the SMB file system based on New Technology LAN Manager (NTLM) authentication.

  • If the SMB file system no longer allows anonymous access, you must use an AD domain account to mount the SMB file system on a Windows client that is authenticated by using Kerberos.

Method 1: Join a Windows client to an AD domain and then mount an SMB file system on the Windows client

The following steps describe how to join a Windows client to an AD domain and mount an SMB file system on the Windows client. In this example, Windows Server 2012 is used.

  1. Configure the IP address of the DNS server for the Windows client.

    1. Log on to the Windows client.

    2. From the desktop, click Start in the lower-left corner.

    3. In the Start menu, click Control Panel.

    4. In the Control Panel window, select .

    5. In the Network and Sharing Center window, in the View your active networks section, click Ethernet.

    6. In the Ethernet Properties dialog box, click Properties.

    7. In the Ethernet Properties dialog box, under This connection uses the following items:, select Internet Protocol Version 4 (TCP/IPv4) and click Properties.

    8. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, select Use the following DNS server addresses and set the DNS server address to the IP address of your AD domain server.

    9. Use the Command Prompt to run the ping command, and ping the AD domain to verify connectivity between the Windows client and the AD domain.

      C:\Users\Administrator>ping TESTCD-WIN16.com
      
      Pinging TESTCD-WIN16.com [xxx.xxx.xxx.xxx] with 32 bytes of data:
      Reply from xxx.xxx.xxx.xxx: bytes=32 time<1ms TTL=128
      Reply from xxx.xxx.xxx.xxx: bytes=32 time<1ms TTL=128
      Reply from xxx.xxx.xxx.xxx: bytes=32 time<1ms TTL=128
      Reply from xxx.xxx.xxx.xxx: bytes=32 time<1ms TTL=128
      
      Ping statistics for xxx.xxx.xxx.xxx:
          Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
      Approximate round trip times in milli-seconds:
          Minimum = 0ms, Maximum = 0ms, Average = 0ms
      
      C:\Users\Administrator>
  2. Join the Windows client to the AD domain.

    1. In the Control Panel window, select .

    2. In the System window, in the Computer name, domain, and workgroup settings section, click Change settings.

    3. In the System Properties dialog box, click Change.

    4. In the Computer Name/Domain Changes dialog box, select Domain, enter your AD domain name, and then click OK.

    5. Restart the Windows client for the modified settings to take effect.

  3. Mount an SMB file system on the Windows client.

    Log on to the Windows client as an AD domain user. Run the following command in Command Prompt to mount the SMB file system on the Windows client:

    net use z: \\nas-mount-target.nas.aliyuncs.com\myshare

Method 2: Connect a Windows client to an AD server and mount an SMB file system on the Windows client

The following steps describe how to configure a DNS server for a Windows client, connect the client to an AD server, and mount an SMB file system on the client. In this example, Windows Server 2012 is used.

  1. Configure the IP address of the DNS server for the Windows client.

    1. Log on to the Windows client.

    2. From the desktop, click Start in the lower-left corner.

    3. In the Start menu, click Control Panel.

    4. In the Control Panel window, select .

    5. In the Network and Sharing Center window, in the View your active networks section, click Ethernet.

    6. In the Ethernet Properties dialog box, click Properties.

    7. In the Ethernet Properties dialog box, under This connection uses the following items:, select Internet Protocol Version 4 (TCP/IPv4) and click Properties.

    8. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, select Use the following DNS server addresses and set the DNS server address to the IP address of your AD domain server.

    9. Use the Command Prompt to run the ping command, and ping the AD domain to verify connectivity between the Windows client and the AD domain.

      C:\Users\Administrator>ping TESTCD-WIN16.com
      
      Pinging TESTCD-WIN16.com [xxx.xxx.xxx.xxx] with 32 bytes of data:
      Reply from xxx.xxx.xxx.xxx: bytes=32 time<1ms TTL=128
      Reply from xxx.xxx.xxx.xxx: bytes=32 time<1ms TTL=128
      Reply from xxx.xxx.xxx.xxx: bytes=32 time<1ms TTL=128
      Reply from xxx.xxx.xxx.xxx: bytes=32 time<1ms TTL=128
      
      Ping statistics for xxx.xxx.xxx.xxx:
          Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
      Approximate round trip times in milli-seconds:
          Minimum = 0ms, Maximum = 0ms, Average = 0ms
      
      C:\Users\Administrator>
  2. Mount an SMB file system on the Windows client.

    Run the following command in Command Prompt on the Windows client to mount the SMB file system as an AD domain user:

    net use z: \\nas-mount-target.nas.aliyuncs.com\myshare /user:EXAMPLE.com\USERNAME PASSWORD

    In this command, replace EXAMPLE.com with your AD domain name, USERNAME with your domain username, and PASSWORD with the user's password.

Manage the ACLs of the SMB file system

After you enable the ACL feature and mount the SMB file system as an AD domain user, you can view and edit the ACLs of files and directories by using the following methods:

Run the mklink command to mount the SMB file system

You can run the mklink command to create a symbolic link for the mount target of the SMB file system on a local disk of the Windows client. You can also view and edit the ACLs of files and directories.

  1. Use Command Prompt to create mappings for the file system.

    mklink /D c:\myshare \\nas-mount-target.nas.aliyuncs.com\myshare

    In this command, c:\myshare is the local path for the symbolic link, and \\nas-mount-target.nas.aliyuncs.com\myshare is the path to your SMB file system's mount target.

  2. Grant common users the permissions to use symbolic links.

    If you use the Administrator account, skip this step.

    1. As an administrator, search for and run secpol.msc.

    2. In the Local Security Policy window, navigate to Local Policies > User Rights Assignment. Double-click the Create symbolic links policy. In the properties dialog box that appears, click Add User or Group to add the user.

    3. Log on to the Windows client again as a common user.

  3. Access the SMB file system and view the ACLs of files and directories.

    After a symbolic link is created, you can access the SMB file system the same way you access a subdirectory of a local disk in Windows. You can also view and edit the ACLs of files and directories.

Use the Windows File Explorer to view and edit the ACLs of files and directories

After you create a symbolic link for the mount target of the SMB file system on a local disk of the Windows client, you can view and edit the ACLs of files and directories by using the Windows File Explorer.

  1. Find the target file or directory, right-click it, and select Properties.

  2. In the Properties dialog box, go to the Security tab and click Edit.

  3. In the Permissions dialog box, click Add. In the Select Users, Computers, Service Accounts, or Groups dialog box, confirm that the From this location field is set to your AD domain. In the Enter the object names to select box, enter the target username and click OK.

When you navigate the SMB file system in File Explorer, use the Back or Up arrow buttons to navigate the directory tree. Do not use the address bar's breadcrumb trail to navigate to parent folders.

The Alibaba Cloud SMB file system is not joined to your AD domain. If you access the share by using its network path (for example, \\nas-mount-point.nas.aliyuncs.com\myshare) instead of the local symbolic link path (for example, C:\myshare), you may encounter an RPC server is unavailable error when you try to set ACLs. This error occurs because the client cannot verify that the mount target is joined to the domain.

Important

Modifying permissions on C:\myshare using File Explorer does not apply changes to the root directory of the file system. To modify permissions for the root directory, you must use the Set-Acl PowerShell cmdlet or the icacls command-line tool.

PowerShell commands

You can use the Get-Acl and Set-Acl cmdlets in PowerShell to view and edit ACLs for files and directories.

  • Get-Acl

    $value = Get-Acl -Path "Z:"
    # Set properties
    $value.Access
    PS C:\Users\testmonkey> $value
    
        Directory:
    
    Path  Owner     Access
    Z:\   Everyone  Everyone Allow  FullControl...
    
    PS C:\Users\testmonkey> $value.Access
    
    FileSystemRights  : FullControl
    AccessControlType : Allow
    IdentityReference : Everyone
    IsInherited       : False
    InheritanceFlags  : None
    PropagationFlags  : None
    
    FileSystemRights  : FullControl
    AccessControlType : Allow
    IdentityReference : CREATOR OWNER
    IsInherited       : False
    InheritanceFlags  : ContainerInherit, ObjectInherit
    PropagationFlags  : InheritOnly
    
    FileSystemRights  : FullControl
    AccessControlType : Allow
    IdentityReference : NT AUTHORITY\SYSTEM
    IsInherited       : False
    InheritanceFlags  : ContainerInherit, ObjectInherit
    PropagationFlags  : None
    
    FileSystemRights  : FullControl
    AccessControlType : Allow
    IdentityReference : BUILTIN\Administrators
    IsInherited       : False
    InheritanceFlags  : ContainerInherit, ObjectInherit
    PropagationFlags  : None
    # Set properties
    $identity = "Administrator"
    $fileSystemRights = "FullControl"
    $type = "Allow"
    # Create a new rule
    $fileSystemAccessRuleArgumentList = $identity, $fileSystemRights, $type
    $fileSystemAccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $fileSystemAccessRuleArgumentList
    # Apply the new rule
    $value.SetAccessRule($fileSystemAccessRule)
    $value.Access
    FileSystemRights  : FullControl
    AccessControlType : Allow
    IdentityReference : Everyone
    IsInherited       : False
    InheritanceFlags  : None
    PropagationFlags  : None
    
    FileSystemRights  : FullControl
    AccessControlType : Allow
    IdentityReference : CREATOR OWNER
    IsInherited       : False
    InheritanceFlags  : ContainerInherit, ObjectInherit
    PropagationFlags  : InheritOnly
    
    FileSystemRights  : FullControl
    AccessControlType : Allow
    IdentityReference : NT AUTHORITY\SYSTEM
    IsInherited       : False
    InheritanceFlags  : ContainerInherit, ObjectInherit
    PropagationFlags  : None
    
    FileSystemRights  : FullControl
    AccessControlType : Allow
    IdentityReference : BUILTIN\Administrators
    IsInherited       : False
    InheritanceFlags  : ContainerInherit, ObjectInherit
    PropagationFlags  : None
    
    FileSystemRights  : FullControl
    AccessControlType : Allow
    IdentityReference : DOMAIN\Administrator
    IsInherited       : False
    InheritanceFlags  : None
    PropagationFlags  : None
  • Set-Acl

    The Set-Acl cmdlet does not require a mklink c:\myshare symbolic link. You can use it to directly modify permissions on the mounted drive path, including the root directory.

    Set-Acl $value -Path "Z:"
    Important

    We recommend that you configure the permissions to modify root directories immediately after the file system is created. Otherwise, you must modify subdirectories and subfiles when you run the command. This is because the permissions are inherited from the root directory to the subdirectories.

icacls command

The icacls command is the standard command for ACL operations on the Windows command line. You can use the icacls command to view and edit the ACLs of files or directories.

Example:

icacls z:
# Grant a user Full Control permissions.
icacls z: /grant <username>:(F)
# Grant the administrator Full Control permissions.
icacls z: /grant administrator:(F)
icacls z:
# Remove all permissions for a user.
icacls z: /remove <username>
# Remove all permissions for the Everyone group.
icacls z: /remove Everyone
icacls z:
C:\Users\Administrator>icacls z:
z: Everyone:(F)
   CREATOR OWNER:(OI)(CI)(IO)(F)
   NT AUTHORITY\SYSTEM:(F)
   BUILTIN\Administrators:(F)
   BEIJING-H\qinzhou:(F)

Successfully processed 1 files; Failed processing 0 files

C:\Users\Administrator>icacls z: /grant Administrator:(F)
processed file: z:
Successfully processed 1 files; Failed processing 0 files

C:\Users\Administrator>icacls z:
z: BEIJING-H\administrator:(F)
   Everyone:(F)
   CREATOR OWNER:(OI)(CI)(IO)(F)
   NT AUTHORITY\SYSTEM:(F)
   BUILTIN\Administrators:(F)
   BEIJING-H\qinzhou:(F)

Successfully processed 1 files; Failed processing 0 files
C:\Users\Administrator>icacls z:
z: Everyone:(F)
   CREATOR OWNER:(OI)(CI)(IO)(F)
   NT AUTHORITY\SYSTEM:(F)
   BUILTIN\Administrators:(F)
   BEIJING-H\qinzhou:(F)

Successfully processed 1 files; Failed processing 0 files

C:\Users\Administrator>icacls z: /remove Everyone
processed file: z:
Successfully processed 1 files; Failed processing 0 files

C:\Users\Administrator>icacls z:
z: CREATOR OWNER:(OI)(CI)(IO)(F)
   NT AUTHORITY\SYSTEM:(F)
   BUILTIN\Administrators:(F)
   BEIJING-H\qinzhou:(F)

Successfully processed 1 files; Failed processing 0 files