RBAC in Windows Server 2024
In Windows Server 2024, implementing folder sharing with RBAC (Role-Based Access Control) means using NTFS permissions and share permissions in combination with security groups in Active Directory to control access based on user roles.
β Step-by-Step Guide: Sharing a Folder Using RBAC in Windows Server 2024
π Prerequisites:
- Windows Server 2024 with File Server role installed
- Folder to share (e.g., D:\DepartmentDocs)
- Active Directory roles/groups created (e.g., HR_Read, HR_Write, IT_Admin)
πΉ Step 1: Create Role-Based AD Security Groups
- Open Active Directory Users and Computers.
- Navigate to your desired OU.
- Create security groups for each role:
- HR_Read β read-only access to HR folder
- HR_Write β modify access
- IT_Admin β full control
- Add users to the appropriate group based on their job role.
πΉ Step 2: Create or Identify the Folder to Share
Letβs say the folder is D:\DepartmentDocs.
- Right-click the folder β Properties
- Go to the Sharing tab β Click Advanced Sharing
- Check Share this folder
- Set a Share name (e.g., DepartmentDocs)
- Click Permissions:
- Remove Everyone
- Add your role-based groups:
- HR_Read β Read
- HR_Write β Change
- IT_Admin β Full Control
- Click OK
π Share permissions are broadβNTFS permissions provide finer control.
πΉ Step 3: Set NTFS Permissions (File System Access)
- Go to the Security tab β Click Edit
- Remove unwanted groups like Everyone or Users
- Add the same AD groups:
- HR_Read β Allow: Read & execute, List folder contents, Read
- HR_Write β Allow: Modify
- IT_Admin β Allow: Full control
- Click OK
β NTFS permissions are what actually control what users can do inside the folder.
πΉ Step 4: Test Access
From a client machine or another domain-joined PC:
- Open \\ServerName\DepartmentDocs
- Log in as different users and confirm:
- Read-only users can view files, not edit
- Modify users can add/edit/delete
- Admins can do everything
π‘ Optional: Enable Access-Based Enumeration (ABE)
To hide folders users don’t have access to:
- Open Server Manager β File and Storage Services
- Click on Shares
- Right-click the share β Properties
- Under Settings, enable Access-based Enumeration
π― Summary
| Role/Group | Share Permission | NTFS Permission |
| HR_Read | Read | Read & execute |
| HR_Write | Change | Modify |
| IT_Admin | Full Control | Full Control |
π― RBAC works best when you manage access through AD groups, not individual user permissions.
Pingback: π§ 5 Essential AirPods Pro Settings Every iPhone User Should Know
Pingback: π₯οΈ The Ultimate Guide to Dual Monitor Setup: Boost Productivity and Gaming Performance