Grant Access to specific network folder

• U:\ drive - access given only to that employee

• G:\[Department] - access given only to employees of that department

• G:\Shared\* - used when access is needed for employees from multiple departments

1. Create the security group

• Open Active Directory: FFL --> HQ* --> locate the department and expand it (*or for directories on G:\Shared or Shared-OnBaseSweeps directories: expand FFL -->SecurityGroups --> SharedGroups)
  Right click on SecurityGroups or SharedGroups, then click on New --> Group
  Name the group followed by -M for Modify, -R for Read only, -W for Write access only

• 2. Add Description & Members

  Double click the newly created group to open Properties.
  On the General tab, enter a brief description for the purpose of the group. It is a good idea to list the path of the specific folder that the group was created for.
  Next, select the Members tab. Click Add, then enter the name of the new members --> check name --> OK

• 3. Give List Access & document requestor

  Click on the "Member Of" tab. Click on add, then enter List_Access_(department) --> check name --> OK (or for G:\Shared groups, enter Shared-[parent folder name]-L)
  This ensures that the members of the group are able to access the parent directory, but not all contents of the directory (only the specific folder they are being granted access).
  
  Next, click on the "Managed By" tab. This is where you want to enter the name of the person who requested the access. This should be a member of that specified department who has the authority to make the request.

• 4. Allow access to the specified folder

  This step will allow the users to view the contents of the specified folder.
  Log into the server where the specific folder lives (like Earth for the G:/ drive, or WLKWOBP02 for OnBaseSweeps directories), then navigate to the folder to which access was requested.
  Right click and select Properties.
  Select the Security tab, then click Edit
  Click on Add, and enter the name of the group that you created in Step 1. Check name, then click OK
  That group should now be added. Click on it to select it, then click on the check boxes to give the specific rights. Full control, modify, read, etc. then click OK.
  
  ***Note: If you are creating a new security group/OU in AD for FMB, and you do not see it right away as an option on \\wbeldc01 or other machine, you may need to manually replicate it to FMB. Automatic replication may take about 45 minutes.
  To replicate faster, open Active Directory Sites & Services. Expand Sites, then the group you want to replicate to (e.g. FMB-BEL), expand all options until you reach NTDS settings, then right-click on the specific server connection to select All Tasks --> Replicate Now. If you check the security tab now, you should see your new OU as an option.

• 5. Limit access to specific security group(s) (if needed)

  1) Go to the folder on Earth and go to Properties -> Security -> Advanced
  2) Under the Permissions tab, click on the Change Permissions button
  3) Un-check the “Include inheritable permissions from the object’s parent” box
  4) When prompted about adding or removing the existing permissions, click Add. This will convert all the currently inherited permissions to explicit permissions.
  5) Hit Apply and OK and then OK again to get back to the main Security tab.
  6) Click the Edit button.
  7) If they exist, remove System, Domain Users, and ScanRouter. You should be left with Domain Admins, Earth Administrators, and the group that you created.
  8) Confirm that the group has the appropriate rights to the folder such as Modify if it as modify group.
  9) Click Apply and OK and close out of properties.

• 6. Inform users they will need to restart the computer

  In order for the permission to take effect, the users will need to log off/on to their computer or reboot their computer. Once they log back on, they should see the department listed on their G:\ drive, but they will only have access to the specific folder that was chosen in Step 4.  (If an OnBase Sweep folder, they will have access to the specific directory that was requested.  It can be copied/pasted into a new File Explorer window, and the user can create a custom mapped drive if desired - see separate KB article.)