Restricting access to a Qnap TS-879U-RP via AD Groups & NTFS

If you don’t mind anyone having access to your Qnap NAS and having their own home directory then you can enable home folders on the NAS throught the NAS web interface and then when any user first connects to your NAS, a home directory is automatically created for them.  It’s all built in and works perfectly.

For us, the requirement was to restrict NAS access to just a few users.  It also had to have the least amount of administrative overhead (actually that was my proviso otherwise I could see myself having yet another system to manage)

My Plan

  1.  To create two Active Directory groups.  For now, let’s call them “Nas Users” and “Nas Users ReadOnly”
    Any member of the  “NAS Users” group will have a home directory created on the NAS for them with the NTFS Modify permission set and that only they can “see” (with the exception of the “NAS Users ReadOnly” group members – see below) as well as access to a communal shared directory that all NAS User members will have modify permissions set so that they can easily share files between themselves.  Any member of the “NAS Users ReadOnly”  group will be granted read only permissions (“Read & Execute) to all home directories.  This is intended to be for our lecturers in case they need to access any individuals media files.
  2. Members of “NAS Users” will receive two drive-mappings.  One to their home directory and one to the communal shared area.
  3. The whole process will be as automated as possible with full logging of any new home directory creations.  For this I decided that using powershell would probably be the best option which I plan to have run daily as a scheduled task.

Create the NAS Shares

The first thing I did was to create three share on the NAS.  I wanted a share to store the home directories, one share for the communal shared area and one share where my powershell script would write it’s log files.

With that in mind, I created the following new shares:  NASHome, NASShare and NASLogs.

To create each share, I logged on to the NAS and under ‘Privilege Settings’ I selected ‘Shared folders’ and then selected the ‘shared folder’ tab in the main pane.  I then clicked on ‘Create’ and selected ‘Shared Folder’ from the drop-down menu:


I then gave the folder a name and description and left everything else at the defaults.  This process was repeated for all three of my shares.

Next I selected the ‘Advanced Permissions’ tab and ensured that both options were selected as I want to manage the shares via NTFS permissions:


Add the share permissions on the NAS

In the NAS web interface, navigate to the shared folders and then click the ‘Access Permissions’ button next to the share:


Then click the ‘Add’ button and then select ‘Domain Groups’ from the drop-down:


Select or search for your AD Group “NAS Users” and ensure that the “RW’ box is selected.  Then click the ‘Add’ button:


You should then see the following on your share:


The above procedure needs to be completed for the NASShare and the NASHome shares.

Give AD Group “NAS Users ReadOnly” Read & Execute permissions on the share

I then created my first Active Directory group called: NAS Users ReadOnly.

As you will recall from my plan above, the members of this group will have read only access to all home directories.

To do this, on my windows compuer I typed in \\NameOfMyNAS in the run menu and when presented with the login dialog box I entered the NAS admin user and password credentials.

I was then presented with my shares:

NAS shares

I then right-clicked on the “NASHome” share (as this is where my home directories will be created) and selected ‘Properties’ and then selected the Security tab.  I clicked on ‘NAS Users’ and then the ‘Edit button’ and ensured that only Read & Execute, List folder Contents and Read permissions were set:


On the Windows Security warning, I clicked on’Yes’ and then OK until all dialog boxes were closed:


Give AD Group “NAS Users” correct home directory access permissions

The next step was to allow any members of  the ‘NAS Users’ group to be able to access their own home directory but not anybody else’s.

To do this, I right-clicked the ‘NASHome’ share and selected ‘properties’.  I then selected the ‘Security’ tab and clicked on the ‘Advanced’ button.

I then selected the ‘NAS Users’ principal and clicked on the ‘Edit’ button:


I then ensured that the “Type” was set to: Allow and “Applies To” was set to: This folder only.  The basic permissions set to Read & Execute, List folder contents and Read.  I then clicked OK until all dialogs had closed:


If you look at the Security tab now, for the “NAS Users” group you should now see only “Special Permissions” listed:


Give NAS users modify permissions to the communal share

Repeat the above, ie on the NAS interface select the “NASShare” share and give the “NAS Users” group RW permissions to the share.  Then on your computer right-click the share -> properties -> security tab and adjust the permissions for the group so that only Modify, Read & Execute, List folder Contents, Read, Write permissions are the only ones ticked.

Permissions results

Any members of the Active Directory group “NAS Users” can, if they navigate to the root share eg \\MyNASName see all of the home directories but they will not be able to open any directory except theirs.  At this stage they do not have write permissions to their directory as this will be handled by the directory creation powershell script later on.

Any members of the Active Directory group “NAS Users ReadOnly will be able to open and view \ copy anything from any home directory but will only be able to write to their own home directory if one has been created.

Any member of  the “NAS Users” group will be able to read \ write to the communal share: “NASShare”

These permissions may not suit your requirements so season to taste.

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.