100%
GRIMOIRE
GrimoireDindon CorpusSynthesis VolumesThe Foundation of Iron
FRENAR
RATIO
THE FOUNDATION OF IRON · COURSE MATERIAL · WEEK 12
◆◆◆
WINDOWS SERVER
LOCAL ADMINISTRATION
Week 12 of 26 · Block 5 — Bare Metal OS
8h theory · 27h practice
◆ WEEKLY LEARNING OBJECTIVES

1. Create and manage local users and groups on Windows Server
2. Manage NTFS permissions on files and folders
3. Configure network resource sharing
4. Use Windows Event Viewer for diagnosis
5. Administer a Windows server in standalone mode, without a directory

◆◆◆
⚠ SEQUENCING NOTE — GPOs ARE NOT IN THIS MODULE

Group Policy Objects (GPOs) are taught in Week 23, immediately after Active Directory (Week 22), of which they are a direct feature. This week covers local administration only — local accounts, NTFS permissions, sharing — with no directory or group policy.

Amine RAITI · Infrastructure Architect & SRE
Public document · CC BY-NC-SA 4.0 · AI Powered by Amine
Opération Dindon
RATIO
COURSE OUTLINE · 8H
THEORY GUIDING THREAD
12.1 · Local users and groups2h
— Windows security model: SID (security identifier), difference between a local account and a domain account (the domain comes in Week 22)
— Built-in local groups (Administrators, Users, Backup Operators) and their use
— Direct parallel with Linux users/groups from Week 9 — same logic, different implementation
12.2 · NTFS permissions3h
— Basic NTFS permissions: read, write, execute, full control
— Permission inheritance: how a child folder inherits its parent's permissions
— Difference between NTFS permissions (local, on disk) and share permissions (network) — they combine
— Link with the Linux permission model from Week 8 — same concept, different granularity
12.3 · Network shares2h
— Creating a network share (UNC path: \\server\folder)
— Share permissions vs NTFS permissions — the effective permission is the most restrictive of the two
— Verifying access from another machine on the network
12.4 · Windows Event Viewer1h
— Event Viewer: System, Application, Security logs
— Reading an event (ID, source, level, description) — parallel with Linux logs from Week 9
RATIO
EXERCISE 1 · LOCAL USERS AND NTFS PERMISSIONS · 14H

Equipment: the Windows Server system installed in Week 11, a provided company scenario (5 user accounts, 3 groups, shared folder structure).

(2h) Creating the 5 user accounts and 3 local groups from the scenario, via the GUI (Computer Management) then via PowerShell for the same operations — comparing both approaches.
(3h) Creating the scenario's folder structure, assigning NTFS permissions by group for each folder (one group only has access to its own folders).
(3h) Access testing: logging in with each user account, verifying that granted access works and that non-granted access is denied.
(3h) Configuring a network share for the main folder, testing access from a second machine (or from the same machine via the UNC path).
(3h) Exploring the Security Event log to find traces of successful logins and denied access attempts made during the tests.
SOLUTION — EXERCISE 1

Expected NTFS permissions check: use the Security tab in a folder's properties to display a given account's effective permissions — the "effective permission" takes into account inheritance and group membership, not just explicitly visible first-level permissions.

Expected Security log trace: denied access attempts generate an event with a specific ID (to be identified on the version in use) in the Security log — this exercise anchors the importance of logs for security diagnosis and auditing.

RATIO
EXERCISE 2 · ADVANCED ADMINISTRATION AND DIAGNOSIS · 13H

Equipment: the system configured in Exercise 1.

(3h) Full user and group administration via PowerShell only: list accounts, change a user's group, disable then re-enable an account.
(3h) NTFS permission management via PowerShell (Get-Acl, Set-Acl): read a folder's permissions, add an access control entry for a new group.
(4h) Diagnosis exercise: the instructor introduces 3 configuration problems (a user cannot access a folder they should be able to read, a network share is inaccessible from outside, a service is denied). The trainee must diagnose each problem using the Event Viewer and PowerShell tools, then fix it.
(3h) Writing a short diagnosis report documenting each identified problem, its cause and its resolution.
SOLUTION — EXERCISE 2

Suggested problems for the diagnosis exercise: missing NTFS permission for a group (observable with Get-Acl); share permission more restrictive than the NTFS permission (effective permission is always the most restrictive of the two); misconfigured service with an unsatisfied dependency (visible in the System log).

◆ SUMMARY SHEET — WEEK 12 SELF-ASSESSMENT
1. I can create and manage local Windows users and groups.
2. I can read and modify NTFS permissions on a folder.
3. I understand the most-restrictive-permission rule (NTFS + share).
4. I can create and test a Windows network share.
5. I can administer users and permissions via PowerShell.
6. I can navigate the Event Viewer and filter by log.
7. I can find the trace of a denied access in the Security log.
8. I can diagnose and fix a permission or sharing problem.