Skip to main content
All Collectionsitopia WorkAnywhere Help LibraryWorkAnywhereCloud Desktops
Network Shares Module
Network Shares Module
F
Written by Fegeins Louis
Updated over 4 months ago

Overview

The itopia CAS admin console (cas.itopia.com) allows administrators to create network shares, folder structures, and mapped drives for Cloud Desktop users. Every Cloud Desktop deployment includes a file server (either a Windows file server or a NetApp Cloud Volume managed file share); the Network Shares module in the CAS admin console can create root shares, subfolders, user permissions, and drive mapping rules for each share.

NOTE: Prior to October 2020, the Network Shares module was formerly the Folders/Shares module. The behavior of the module has significantly changed; however, any folders/shares created with the previous module will continue to work.

Understanding File Server Types

When you create a Cloud Desktop deployment, the CAS Deployment Wizard asks you to select a file server type: dedicated Windows File Server, NetApp Cloud Volume, or file shares on the first User Session Server in each region. Using file shares on the User Session Server is only recommended for very small deployments, but functionally it is similar to a dedicated Windows File Server; for our purposes, we will consider these two options to be the same.

Windows File Server

When using a Windows File Server, CAS attaches a data disk to the file server (either a dedicated server or the User Session Server) and mounts it to the D: drive. On this drive, CAS creates two root folders: Profiles and Customer Data. The Profiles folder is used for storing FSLogix Profile Containers (for Collection Pools that leverage it), and the Customer Data folder is used for network shares created in the Network Shares module.

When using a Windows File Server, the Network Shares module has no shares created by default. You can create one or more shares in the module; each share will create a "root" folder under D:\Customer Data on the file server.

As a best practice, Microsoft recommends using file permissions rather than share permissions to control user access. Therefore, the share permissions are configured to permit all authenticated users read/write access, but users have no file permissions by default. Only users/groups that you explicitly grant permissions in the Network Shares module will have access. The file server's Administrators group will also have access to the file share, which implicitly includes the Domain Admins group.

NetApp Cloud Volumes

When using NetApp Cloud Volumes, CAS provisions an SMB Cloud Volume to provide file share services. Because of the architecture of Cloud Volumes, the volume itself is a network share, and it is not possible to create multiple shares. However, you can still create subfolders, set permissions, and assign mapped drives with Cloud Volumes just as you can with Windows File Servers.

The Domain Admins group has administrative access to the network share and any files and folders contained therein.

Understanding Drive Mappings

CAS manages drive mappings using Group Policy Preferences (GPPs). In your deployment's Active Directory, CAS creates a GPO named itopia - CAS Mapped Drives. When you create a mapped drive and assign it to users and groups, itopia performs several tasks:

  • Creates a new administrative security group in Active Directory

  • Assigns the selected users and groups as members of the administrative group

  • Creates a new GPP entry that maps the administrative group to the network share using the drive letter specified

Using the Network Shares module, mapped drives can only be created to root-level shares, not to subfolders; this helps prevent confusion where users may be assigned multiple drive mappings to the same folders and subfolders. If you wish to create mapped drives directly to subfolders, you may manually configure Group Policy Preferences to do so. Information on drive mapping via Group Policy Preferences is available from Microsoft.

Using the Module

The Network Shares module deals with four key concepts:

  • Network Shares - When using a Windows File Server, administrators can create multiple network shares in their CAS deployment; each share gets a dedicated folder under D:\Customer Data on the File Server. Deployments using NetApp Cloud Volumes can only have a single share, but subfolders, permissions, and mapped drives are otherwise similar to Windows File Servers.

  • Subfolders - Under each network share, administrators can create one or more subfolders. These subfolders are standard Windows folders, and they can also be created, deleted, or managed outside of CAS just like any other folder.

  • Permissions - CAS can apply standard Windows file permissions to network shares and subfolders (but not to individual files). As with subfolders, these permissions are standard access control lists (ACLs) on the folders in the network share, and they can also be created, deleted, or managed outside of CAS just like any file permissions

  • Mapped Drives - For each network share, you can create one or more mapped drives and assign them to users or groups. Mapped drives will show up in users' desktops with the drive letter you specify, and they will have the permissions that you assign in the module.

To illustrate the concepts above, let us configure an example environment: we will create a new network share called Accounting, create a subfolder named Invoices underneath this share, apply permissions to the share and the subfolders, and finally create a mapped T: drive for a security group named Accounting Department.

Accessing the Network Shares Module

  1. Log in to the CAS admin console (cas.itopia.com) as an administrator with at least Deployment Editor permissions. You may also use a custom admin role that has create/edit permissions to the Network Shares module.

  2. In the left-hand menu, navigate to Cloud Desktops β†’ Network Shares

  3. The module will list your File Server and, for Windows File Servers, the Data Root Path, which is the physical path in which the share data is stored.

Creating a Share (Windows File Server only)

  1. Click the Create Share button.

  2. In the Create Share window that appears, provide the following information and click Create:

    • Share Name: Provide a name for your share. Your users will see this name on their mapped drive. For our example, we would specify Accounting.

    • Region: If you have a multi-region deployment, select the region in which to create the share.

Creating a Mapped Drive

  1. With the new share selected, click the Create button under Mapped Drives.

  2. In the Create Drive Mapping window that appears, configure the following and then click Create:

    • Select one or more individual users and/or security groups to which to assign the mapped drive. For our example, we would select the Accounting Team security group.

    • Select a Drive Letter. For our example, we would specify Drive T.NOTE: If you assign the same user or groups multiple mapped drives using the same drive letter, only the last-added drive will appear for them. Be sure to use unique drive letters for each mapped drive assigned to the same users or groups.

  3. When you create a mapped drive, CAS automatically assigns read/write permissions for the users and groups you selected. You can see these permissions reflected in the Folder Permissions section of the share details. In our example, if you wished to make the Accounting Department's access read-only, you would select the permissions entry, click Edit, and change the permission to Read.

Creating a Subfolder

  1. With the new share selected, click the Create Folder button.

  2. In the Create Folder window that appears, configure the following and then click Create:

    • Folder Name: specify a name for the folder. For our example, we specify Invoices.

    • Inherit permissions from parent folder: If you enable this setting, the folder will copy any inheritable permissions assigned to its parent folder (in this case, the Accounting share); if you do not enable this setting, the new folder will have no permissions except those assigned using the Folder Permissions section of the module. For our example, we will enable this setting to allow the folder to include any permissions granted to the share.

  3. The folder will be created underneath the share. You may continue to add folders and subfolders as desired; simply make sure to select the appropriate object in the directory tree before clicking Create Folder.

Setting Permissions

  1. Select a folder (or a root share) from the directory tree on the left-hand side. CAS will enumerate the folder's existing permissions and display them in the Folder Permissions section of the module. To continue our example, we will select the newly-created Invoices subfolder.

  2. With the folder selected, click the Create button under Folder Permissions to create a new permissions entry.

  3. In the Create File Permissions window that appears, configure the following and then click Create:

    • Select the Users and/or Groups for which you wish to define permissions. For our example, we will again select the Accounting Department security group.

    • Permissions: Select whether to grant read, read/write, or full control permissions. Users with full control can edit the permissions on the folder (and subfolders and files) from within their Cloud Desktop. For our example, we will select Write permissions; thus, the Accounting Department group will have read-only access to the Accounting share, but will have read/write access to the Invoices folder.

    • Inheritance: Select whether this permissions should be applied only to: this folder; the folder and the files directly in the folder; or to the folder, files, and subfolders. For our example, we will select Files, folders, and subfolders to grant permission to all child objects.

  4. If you selected multiple users and/or security groups when creating the permission, you will see a separate entry appear for each of them; this makes it easy to edit and delete permissions later for only a single user or group without affecting permissions for others.

Considerations for the Network Shares module

When using the Network Shares module, it is helpful to remember the following:

  • CAS does not support adding deny permissions. To simplify the permissioning process, CAS only allows the creation and editing of "allow" permissions from the module. If you wish to assign "deny" permissions, you may do so from within Windows, directly on the file share or subfolder.

  • CAS does not delete any data. When you select a share and click Delete, CAS will remove any mapped drives for the share and will remove the share information from the file server; however, the shared folder itself and all subfolders will remain intact. If you wish to delete the data, you may do so from within Windows. Similarly, folders and subfolders cannot be deleted from the Network Shares module and must also be deleted from within Windows.

Did this answer your question?