- Newest
- Most votes
- Most comments
Hello,
Groups must be prefixed with the @ character. Acceptable formats include: DOMAIN\User1, user1, @group1, and @DOMAIN\group1.
Try updating accordingly and test.
Ref - https://docs.aws.amazon.com/filegateway/latest/files3/enable-ad-settings.html
Thank you
When a File Share is created the default user permission, groups is everyone. Any user with the UNC path to do the mapping will succeed as long as the user is a part of the same AD as that of the Gateway. When you check the NTFS permissions of the share mapped to a windows machine the default is Everyone Full Control.
File Share access permissions take precedence over Windows NTFS permissions. When Allowed and Denied Users and Groups lists is configured at the file share, then Windows ACLs will not grant any access that overrides those lists. The Allowed and Denied Users and Groups lists are evaluated before ACLs, and control which users can mount or access the file share. If any users or groups are placed on the Allowed list, the list is considered active, and only those users can mount the file share.
The behavior you have experienced is expected (popup for valid user password) if the User that is trying to access the share is not in the valid user/group configured on the file share.
To further explain, for example, you have two users, User1
and User2
. If User1
is added as allowed user through File Share access settings via the Storage Gateway console. And if User2
tries to map/access the file share, it will not succeed even if in NTFS permissions Everyone is Full Control.
For User2 to map/access the share successfully, it will be prompted to enter the password of User1
to mount the share. Or User2
either needs to be allowed as a valid user on the file share or need to allow any domain group that User2
is part of for it to mount the share successfully.
Additional Ref:
- https://docs.aws.amazon.com/filegateway/latest/files3/using-smb-fileshare.html
- https://docs.aws.amazon.com/filegateway/latest/files3/edit-file-share-access-smb.html
Thank You
Hello Harshi, thanks for your answer. I want to control my share access using Allowed and Denied Users and Groups lists. NTFS permissions are Open. without any list, my user can access Configuring an allow list with a wrong user, access is blocked --> ok Configuring an allow list with a good user, access is granted --> ok Configuring an allow list with an AD group (my test user is member of this group), access is blocked --> ko I try to type the group like: DOMAIN\group ou group only without success. Is there any additional configuration for using groups? How can I troubleshoot this?
Thanks you
Relevant content
- asked 3 months ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
i tried with @ prefix but on Builtin Administators domain group (on my lab). This group don't work custom groups works fine ;) Problem solved! Thanks for your help Harshi