SMB File Share SG joined to domain

Question

I have been testing with EC2 storage gateway with file share joined to our domain. I have added admins in file access settings. I am trying to move our on prem shared drive to aws using storage gateway. Enabled windows ACL. Mainly two questions:
1)Which is the best way to prevent users (with access to file share) to add permissions for another users? Any user that has access to the file share can modify permissions, even his own permissions.
2)Also the ntfs permissions already assigned on shared drive on prem doesn't get copied with copying folders to file share. It just sets to everyone when copied to file share. Since it's a large amount of data (around 10 TB), if i do robocopy will the permission also moved to file share? I will be doing robocopy on our file server. File share is mapped on server.

Answer

Hello,

You can control permissions on the SMB file share granularly using NTFS ACLs from Windows explorer or using PowerShell.

1) To prevent users to change/grant permissions to other domain users, you would need to ensure those AD user/group are not granted `Change Permissions` or `Full Control` [NTFS](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732880(v=ws.10)) permissions on specified file/folder. However, please note that the owner of the file/folder can always change permissions for themselves or grant permissions to others regardless of any existing permissions on that file/folder. Please refer [here](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732983(v=ws.10)) for additional information.

2) With robocopy command, please ensure that you are using /S flag to copy NTFS ACLs. You can use the following robocopy command which would copy data, attributes, timestamps, NTFS ACLs and ownership information. Please refer [here](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/robocopy) for more information.

```robocopy Y:\ Z:\ /copy:DATSO /secfix /e /MT:8```

Additional references:

https://docs.aws.amazon.com/filegateway/latest/files3/best-practices-copying-files-on-windows.html
https://docs.aws.amazon.com/filegateway/latest/files3/smb-acl.html
https://docs.aws.amazon.com/storagegateway/latest/APIReference/API_CreateSMBFileShare.html#StorageGateway-CreateSMBFileShare-request-AdminUserList

SMB File Share SG joined to domain

관련 콘텐츠