Provisioning SMB Shares using NTFS Permissions with Active Directory authentication

This guide outlines adding SMB Shares with NTFS Permssions to a MyWorkDrive server using Active Directory for user authentication.

If you are using Entra ID for user authentication, this method will not work for you, see this guide for SMB Storage on Entra ID authentication, or this guide for other storage options

When you provision the shares on the file server, follow the outline in our guide to file sharing.

WINDOWS FILE SHARING

Note that it is important to set permissions on folders using NTFS security, not just sharing permissions.

 

 

It is recommended that you use the UNC path of your shares

\\server\share\

and not a file system path like

c:\folder\

For maximum compatiblity with the features of MyWorkDrive. A drive letter path will work ok in most instances, but some features like share internal may fail to work correctly.

 

If you have correctly set NTFS permissions, they will import correctly and you’re all set.

 

Note that you cannot add permissions via MyWorkDrive using the Users & Groups panel. The correct permissions must exist in NTFS. The users and groups view on shares is to remove users or groups who have access via SMB but should not have access via MyWorkDrive. This permits MyWorkDrive to be more secure and provide less access to remote users as compared to users in the office.

 

If no shares are already setup (new installs) The MyWorkDrive Admin Panel will start with the Add Shares section already open, otherwise click Add to setup shares. Enter a Name (share name) and the Path which points to the network share using host name and share name on the same LAN as the MyWorkDrive Server (eg: \\server1\project ).

Import existing Users and Groups permissions to begin choosing what users/groups should be able to see the share in MyWorkDrive or manually search and Add Groups and/or Users you wish to permit access to the shares in MyWorkDrive. Note we only import existing permissions to help you select which users/groups that already have NTFS permissions to access the share using MyWorkDrive. Note future user/group changes need to be added/removed from MyWorkDrive shares so ideally use Active Directory Groups to limit updates.

For MyWorkDrive servers starting with version 6 or higher, administrators may limit access by user or group to specific client types; Web Client, Mapped Drive or Mobile. Read more about Granular Share Permissions here.

Please also note that the sharing of subfolders of a share is possible. IE, your path might be \\server\share\subfolder. However, if you do that, they will not appear that way on the simulated smb mountpoint for the Windows Map Drive Client. Due to a limitation in the file system driver we use to simulate the SMB mount point, shares which include a subfolder will be simulated as \\server\subfolder on the Windows Map Drive Client. The shares will work normally in all regards in the GUI on the Windows map drive, as well as on the Web client and Mobile client, however their simulated SMB mount point will not match a traditional SMB Share.

Verify Home Drive Settings on the Settings tab – enabled by default – this information is pulled from Active Directory automatically for each user on their profile tab.

Set the file size limit for transfers ( this will depend on your internet upload/download speed ), we recommend limiting to 30 MB or less on slower connections.

MyWorkDrive also supports entering %username% variables – for example: \\servername\project\%username% in the folder path. If the user has a folder only their folder will appear under the share. Starting in Server 5.3 in addition to username variable a new variable %upnname% can be used which pulls username from UPN (user principal name).

** Note existing file share permissions on your file server should be everyone full control and only utilize NTFS to limit user file permissions (where users should only be given Modify and not Full NTFS permissions so as to prevent file ownership issues) – As a security precaution, MyWorkDrive passes through authentication and can limit permissions further but not grant NTFS permissions to any shares. , Users must already have NTFS and share permissions to the files prior to adding to MyWorkDrive. To prevent users from seeing files they don’t have rights to, enable Access Based Enumeration on the share. For more information on cleaning up ownership and NTFS permissions, see our Windows File Sharing Article.

*** For very large organizations with 100’s of shares, MyWorkDrive supports importing shares from a csv file share list. Contact Support for additional details.

Limiting Logins

You can limit who can login to the MyWorkDrive site by restricting user groups on the MyWorkDrive shares – only the users or groups who are added to at least 1 share in MyWorkDrive will be able to login (even if they have underlying NTFS permissions they will still be denied login to MyWorkDrive). If desired set to require at least 1 share under home drive settings.