How-to Manage Server Folders & Security in Windows Server 2016 EssentialsAlex Fields
After setting up your domain and adding or importing users from an existing domain, then one of the very next things you’re likely to do as an administrator of Windows Server Essentials 2016 is to setup your shared folders and permissions. Prior to this step, I also recommend enabling the integration to Azure AD and Office 365.
We are going to walk through a number of items related to managing server folders:
- Add Security Groups (recommended)
- Moving Server Folders (recommended)
- Enable Group Policy / Folder Redirection (optional)
- Enable BranchCache (optional)
- Add new Server Folders (optional)
The Dashboard provides some interesting tools for managing shared resources, and they are fairly straightforward to use.
1. Add Security Groups (recommended)
Before you begin administration of your folders, make sure you’ve got some security groups defined. Go to Users, select User Groups and then Add a new group.
Name your group and give it a description.
Follow the rest of the prompts–you can choose to include this security group in the cloud as well.
Choose which users to include.
Go ahead and finish your way through the wizard.
2. Move your Server Folders (recommended)
Before you get too far, you will probably want to move your server folders from the default location (C:\ServerFolders\). In my example, I moved them to another volume, E:\.
From the Dashboard, go to Storage, and then Server Folders, select a folder and click “Move the folder” from the right.
Click Next to get started, and choose your new location from the list of presented alternatives. In this case I chose the option for my E:\ volume.
Go ahead and finish the wizard.
3. Enable Folder Redirection (optional)
You may want to redirect common user folders such as Documents and Favorites to the Server Folders, so they can be included in Backup. To do this, navigate to Devices in the Dashboard, make sure your Essentials server is selected, then click on Implement Group Policy. Note that this step would normally be done after you’ve already disabled legacy group policies–for example if you’re coming from an older environment like Small Business Server.
Step through the wizard.
Consider whether you want to include things like Downloads, Music and Pictures (you may not want those kinds of items taking up space–it depends on the business requirements).
I usually enable the default settings for the security portion, although it is optional and you can manage your own also.
Gotta love this plug for Windows 10 on the last screen. As if it weren’t enough that Microsoft made it a recommended update already. Relentless!
Want to see what this wizard actually did? Open the Group Policy Management console from Administrative Tools, and check out the GPO’s.
4. Enable BranchCache (optional)
You also have the option to enable BranchCache, which allows computers on your local LAN segment to cache server folder data for quicker access. This is helpful if your Windows Essentials Server is hosted offsite by a service provider, or in Microsoft Azure, for example.
Just click Settings in the upper-right corner of the Dashboard, then go to BranchCache and click Turn on. Click OK.
To see what this action did, check out the Group Policy Management console again.
The BranchCache feature will also require Enterprise licensing for your Windows client computers in order to work properly.
5. Add new Server Folders (optional)
Finally, let’s see what it looks like to add a new Server Folder through the Dashboard. Go back to Storage > Server Folders. Select Add a folder from the right.
Give your folder a name and description.
From here you can assign permission to the resource directly–your new Security Groups should be present in here as well. Note that you can always go back into existing server folders to edit permissions later, also.
You will also be reminded to include the folder in your backup.
You can also easily manage SharePoint Libraries in Office 365 much in the same way, right from the Essentials Dashboard. More on that here.
Is there a way to disable or skip the Allow Access to: part when setting up a new user? I have shares set up with Domain Users group assigned and what not. Now every time I add a new user, it adds that user to the share with the selected permissions. I then have to go through each of the folders and remove the explicit user from the security tab. Thanks,
Yeah this solution isn’t the best–hopefully you’re looking beyond it now to Microsoft 365 Business. WAY better.
The server is already in place, so I don’t see that happening for bit. So for now, do you have a way to stop it?
No–the alternative you have is not to use the built-in management tools for Essentials and just manage it more like it is Windows Server standard with ACL’s on the shares with security groups, and you create users in ADUC, assign groups, etc. from there.
Side question on using Azure AD/FS. My client’s (and mine) concern with having AD and file hosting on Azure is if internet goes down, so does your file access and AD. Or are you suggesting a hybrid solution?
Most organizations are moving away from on-prem infra as much as possible. It is a slower process in the Enterprise, so that will take more time. But the reality is that Internet is ubiquitous and everyone relies on Internet availability so it pays for every business to have a primary and secondary ISP–these are inexpensive connections and the Internet is just where business is done these days. No startup out there is attempting to build on-prem–they are born in the cloud, and every enterprise is attempting to move toward cloud services because they deliver capabilities, security and scale that you just don’t have on-prem. Therefore they can resist the change but in the end they will be dragged along, as the value of having these things “local” has quickly diminished as cloud has outpaced it. So I don’t recommend hybrid unless there is a “hard tether” to some LOB app that has no other way of being moved or hosted elsewhere easily.
We have been doing that for services like Exchange and backup. But most of our clients are engineering firms, so they deal with large CAD files that make online FS painful. And the bigger thing, they are small to medium businesses, so having a secondary ISP is not viable.
It seems most Azure services are great for large/Enterprise level companies, but not so much for small and medium businesses.
Thank you for all your advice and write ups. I use them all the time.
I work exclusively with SMB customers and all of my clients have two internet connections, and when I find out they don’t, I recommend it. There may be some viability now that OneDrive client supports large file types as well as delta sync for large files (so only delta changes are synced to the cloud). But most firms that do CAD still have a hybrid as of today–these changes to ODfB were just announced at Ignite and may not even be available everywhere yet, but the writing is on the wall–there is fewer and fewer use cases where on-prem makes sense.
You also have the option of Azure File Sync, which keeps local copies cached on a server using traditional SMB path but syncs all files to Azure. Still, long term I think this will be eclipsed by smarter cloud file sync solutions that work right at the client, rather than on a local server.
Stupid question… but is there a preferred way to Delete or Remove or Rebuild the Folder Redirection folder? It appears this folder has become corrupt as my users are getting Access Denied errors when trying to login and create the Documents, Desktop, Pictures folders etc.
If I delete the Folder Redirection folder, go back into the Dashboard, Folder Redirection now shows “missing”, if I right-click on choose Recreate the folder, it creates the folder with all the user subfolders underneath. However, users NTFS permissions do not allow them to create the necessary redirected subfolders (Desktop, Documents, etc). Not sure what to do or how to proceed.