This article discusses the steps to manage User Permission on Synology with Active Directory [Part 1]. When managing access permissions in a Synology DS923+ NAS that is integrated with Active Directory (AD). The goal is to ensure that users and groups have the correct level of access to resources such as shared folders, based on their roles and responsibilities configured. Please see how to Protect Synology DS923+ NAS, and how to resolve “IP Address blocked on Synology NAS due to forgotten Password“.
Below are some best practices to consider when integrating Synology NAS with Active Directory
- Use Groups over Individual Users simplifies user management and ensures consistency.
- It employ the principle of the Least Privilege Principle. This allows and assigns only the necessary permissions to groups to reduce the risk of unauthorised access.
Also, see how to Grant Local Admin Permissions to a Group [Part 1], how to create folders and enable file sharing on Windows, and how to create hidden share folders on Windows devices
Create ACLs on Synology NAS
Before assigning permissions, the Synology NAS must be joined to the AD domain. In order for you to understand and implement user access control also in your environment, I have come up with a very simple architecture to demonstrate this scenario to you.
I will be creating three users and groups in Active Directory (AD). On Synology NAS, I will create some folders, and assign the various permissions according as defined in the image below.
Please see how to Update Global Address List: Recognition Error, and “Synology NAS Domain Join: The Importance of DNS Configuration“.
Join Synology NAS to AD Domain
Note: Joining Synology NAS to the Active Directory Domain allows the NAS to recognize and authenticate AD users and groups. Once joined, the NAS can apply AD-based permissions to its resources, such as shared folders. Please here is an article on how to”Create New Users and Join Synology NAS to Active Directory“.
To do this, navigate to Control Panel > Domain/LDAP > Domain/LDAP as shown below.
Select Join and enter the AD domain information (domain name, administrator username, and password. Because I have already done this as described in the link above, I can only show you the status.
Create Shared Folders on Synology NAS
We have demonstrated the steps create a folder and assign permission also in this article on how to Configure Synology DS923+ NAS for File Sharing [Part 2]. To do this, navigate and access your DS923+ NAS management interface.
Note: Permissions for shared folders can be set at a granular level, allowing the NAS administrator to control who can read, write, or access the data within these folders. These permissions can be assigned to specific users or groups, including those from Active Directory. Folders are primarily for organising data within a shared folder and are accessed via the shared folder’s permissions and network share. They do not have independent network-sharing properties. Folder also inherit the permissions set on the shared folder unless explicitly overridden. This means that the access control on folders depends on the permissions of the parent shared folder.
Then click on Control Panel and on File Station, and click on created. Please select “create Shared Folder”. This is because Shared Folder is the primary for sharing data across a network on Synology NAS, while a Folder is used within these shared folders to organise data hierarchically as discussed above. You can learn about various folder icons.
Enter the folder name. You could also created a shared folder over “Control Panel”.
I am not interested in additional security for now. Therefore, I will skip it.
Also not interested in “Advanced Settings”. click next for now.
Confirm settings and click next to proceed.
Not interested in setting user, group permission or AD user group access for now. I will modify the shared folder properties and assign the right later. Click on “Apply” to complete this process.
Note: The ACLs (Access Control Lists) on a Synology NAS function are based on Windows ACLs by default starting with DSM 5 and above for shared folders .
Note: Shared folders are accessible over the network through various protocols such as SMB, AFP, NFS, FTP, WebDAV, etc. Users can map these shared folders to their computers as network drives.
Create other two folders
In order not to make this article unnecessary lengthy, I will create the other two folder offline. Below is an image showing that all the folders needs to demonstrate this use case has been created.
Configure ACLs Using AD Groups
This steps involves creating User Groups on Active Directory. But before we proceed, let us discuss the various types of groups. Knowing the different types of groups will determine the availability of the group to other domains and also the replication for this group. Also, it helps particularly in environments with multiple domains and complex resource management needs. This will determine what you are capable of doing on the Domain or forest level.
There are three types of Active Directory groups, including the Local groups on individual PCs’ making four (4) that Windows supports. Choosing the right group can give a lot of advantages.
- Local
- Domain local
- Global and
- Universal
You may want to learn about “Universal, Global, and Domain Local Group Scopes Differences“, and how to change Active Directory Group Scope.
Local Group
The Local Group is created on the local PC and this group is stored on the PC local database. Its availability is limited to this PC only. Any other group can be members of the local group.
Domain Local Group
The Domain local group supports the same attributes (membership) of the local user group. This can be administered at the domain level. Domain local group cannot be created outside the domain they have been created for. This offers some security and ensures the group cannot be used outside the domain.
Global Group
The Global group contains the least amount of membership (attributes) only users, computers, and other other global groups can be put in a global group and can be used in any domain in the forest. This works by creating a global group and the users that require the access will be placed into this group.
Now the Global group itself will be placed into a Domain Local Group that is given access to the resource.
Universal Group
The universal group is a special type of group as it is stored within a global catalog server. It is also available to all the domains in the forest. Even though the information is stored in the global catalog server, the group is associated with the domain it is created in.
Note: This means, the members details of the users are tied to the global catalogue server. If a PC needs to use this universal group, it needs access to a global catalogue server. A server that is not a global catalogue server does not have this information. Therefore, if the Global Catalogue server is not available. Then the membership of the group cannot be determined. This means that the GC placement is importance when using the universal groups.
Note: If a user is member of the global catalog server, they will require a GC server to be available for them to login. This group can contain computers, users, global groups and other universal group.
Note: Local groups support everything except domain local groups and cannot be used outside the domains they have been created in and cannot be added to other domains. Membership of a local domain is the same as the domain local.
Note: By design, group members are restricted to their own domain; you cannot add members to a global group from outside the domain. However, with a universal group, you can include members from different domains within the same forest.
Note: That you can change from a security group to a distribution group vise versa. Also, the Group scopes can be changed as well. Do not forget the that there will be consequences for these actions as they will affect the permission. Also, changing between Global group to a domain local group is not permitted vice versa. You will need to change to a universal group before changing to the desired group. A global group cannot have a universal groups as members.
Create User groups In Active Directory
Please follow the steps below to create the needed groups. To do this, launch the Active Directory Users and Computer Console. Right click on the OU of interest and select New > Groups as shown below.
Enter the Group name and by default the Global Group is selected. Also, ensure you have the security group selected.
As you can see below, we have the HRGroup created.
I went behind the scene to create the financeGroup as well.
Also, the ITAdminGroup has been created.
Create Active Directory Users
Since we will be testing with AD users this time and not the local users on DS923+ Synology NAS. I will proceed and have the users created in AD.
To do this, launch the Active Directory Users and Computer Console. Right click on the OU of interest and select New > User
Populate the New Object – User field and click next
Enter the password and set the attribute as you wish. This is just a test environment.
Click Finish to ed the user account creation wizard.
As you can see, we have successfully created our HR user Account.
I will also proceed to have the IT user created as shown below.
I have also create the Finance user account as shown below.
Assign Users to Group
Assigning users to groups in Active Directory offers several significant advantages such as efficient permission management, enhanced security with efficient Role Based Access Control (RBAC), easier user management and central control etc.
To assign a User to group, you have to double click on the group or right-click on it and select properties. Navigate ti the Members Tab and click on “Add”.
Enter the User and check the name
If found, click on OK.
We have successfully added Alice as a member of the HRGroup user group in AD.
Alternatively, we could also do this straight from the user account. Right-click on the user and select properties.
In the Properties Tab, select “Member Of” and click on “Add”.
Enter the Object name and click search
If found as shown below, click OK.
Do not forget to click on “Apply” or “OK” as the case may be.
I have assigned the User the Finance user “Matthew” in this case to the Finance Group behind the scene.
Assign AD User Group Permissions to Folders on DS923+ NAS
I will be using the Global groups as this is sufficient to categorise users within the same domain who share common characteristics or require similar access levels.
Note: You could also use Global Group when you want to manage access to resources across different domains but keep the membership of the access control groups within a specific domain as mentioned above.
Note 2: You should assign the Global Groups to Domain Local Groups you need to grant access to resources in one domain based on the membership of users in Global groups from another domain. For example, if you have a file server in Domain A but want to control access using Global groups from Domain B, you can add the Global groups from Domain B to Domain Local groups in Domain A.
Now that we are fine with the Global Groups we have created in AD above, we will have to assign permissions to the folders with domain groups.
To do this, launch the File Station on Synology. Select the Folder and select properties as shown below.
Click on Create to launch the “Permission Editor”.
I will assign the IT Admin Group to the Engineering Folder with Read and Write Access
Click on save to continue.
I will also do this for the Finance group and assign read and write access.
Also for the HR Folder, I have the Read and Write Access associated to the HR Group.
Lastly, for the Public Folder, I will assign read only permission to this folder.
Testing Folder Access
One of the methods to test this is by accessing the Synology NAS interface and logging in with a user account that belongs to the configured Active Directory group. I will be testing with the User “Alfred” as he belongs to the IT team.
Enter the Password
As you can see below, the user has the R/W permission on the Engineering folder and as such can create Folders and files etc.
Folder created
But this user only has the Read Only permission on the Public folder. As such, he will not be able to create any object on it.
Note: The same applies to other users/group as they only have Read Only Access on this Folder.
Test Access from a Client Machine with a Group Member
Log in to a Windows machine as a user who is a member of FinanceGroup. You can access shared folders of your Synology NAS via File Station, SMB, AFP, FTP, etc.
Use a computer to connect to your Synology NAS. To do this, we have to sign-in as Matthew as a Member of the Finance group.
Access the shared folder (e.g., \\NAS_IP\Finance_Folder or \\Server-Name\Finance_Folder) via File Explorer.
Click on OK
We have to verify that the user can read, write, and modify files as per the permissions assigned. So let us try to create a folder and a text file.
As you can see, we were able to create the folder and file due to R/W permission.
Note: You can also map the folder for easy access in the future.
Let us access the Public Folder. Remember we have the R/O permission assigned
As you can see below, we do not have the permission to perform this task.
Let us try to access a different folder we do not have permission to. Let say for example the “Engineering Folder”. As you can see below, access is denied. But we can provide the right credential with access to this folder and we will be granted access.
Test Access with a Non-Group Member
We have a user created in AD and does not belong to the Finance Group. Therefore, he should not have access to the folder(s).
Log in to a Windows machine as a user who is not a member of FinanceGroup. Therefore, I will use the user “Eze”.
Attempt to access the shared folder by connecting to the NAS (\\NAS_IP\Finance_Folder or \\Server-Name\Finance_Folder). Access will be denied. But if you provide the right credential, access will be granted.
This verifies that the user either has restricted access or is denied access, based on the permissions configured. Type the following if you are prompted to enter login credentials:
- Username: Add your domain name and a backslash before your domain username, e.g., “techdc01\christian”.
- Password: Enter the password of the domain user account.
Note that you can still connect to the Synology NAS.
Viewing is possible but no access. With this guide discussion how to Manage User Permission on Synology with Active Directory offers a myriad of benefits that streamline operations, bolster security, and enhance scalability as discussed above.
I hope you found this article very useful on “Manage User Permission on Synology with Active Directory [Part 1]”. Please feel free to leave a comment below.
The post Manage User Permission on Synology with Active Directory [Part 1] appeared first on TechDirectArchive.
