Windows File Servers

EmpowerID allows you to add Windows Servers as a managed resource system for file share management, providing you with automated role-based access control, delegated permissions administration, and self-service workflow-based access requests for those shares with a full audit trail. Once a server has been added as a resource system, and the Management Agent Server is set to the EmpowerID Server running the EmpowerID Windows Agent, EmpowerID will continuously inventory and monitor the server to discover new shared folders as they appear and to detect all permissions changes against those objects. This provides complete visibility over what shared folder resources exist and who may access them and in what capacity.

Before you can create add a Windows File Server to EmpowerID as a managed resource system, EmpowerID must first be connected to Active Directory. For the details, see Connecting to Active Directory.

Additionally, for EmpowerID to have the necessary NTFS permissions to create shared folders, you must associate the Windows Server Management Web Service job with a service account that is a domain user with administrator rights on the server hosting the shared folders. The password for that account must be vaulted in EmpowerID. For more details, see Configuring the EmpowerID Windows Server Agent Account.

How to add Window File Servers

  1. On the navbar, expand Admin > Applications and Directories and click Account Stores and Systems.

  2. On the Account Stores page, click the Actions tab and then click Create File Share Resource System.


  3. On the Select File Server Computer page, search for your file server.

  4. Click the record for that server to select it and then click Submit.


  5. EmpowerID creates the Windows File Server resource system.

  6. On the Find Account Store page, click the Resource Systems tab, search for the Windows File Server that you just created and then click the Display Name link for it.


  7. From the Resource System > Resource System Info tabs of the Account Store Details page that appears, click the Edit link for the file server resource system to put it in edit mode.


  8. On the edit page, select the Projection tab and then select Group Membership Projection Enabled. This ensures that EmpowerID evaluates who should be members of what Resource Role groups on a regularly scheduled basis.


  9. Select the Enforcement tab and do the following to specify the type of rights enforcement to be applied to any Resource Role groups created by EmpowerID for the shares on the file server: (This process is used to determine who should have access to shares on the server based on their assignments to Access Levels in EmpowerID and is enforced using special domain local groups known as "Resource Role Groups". See Projection and Enforcement for more information about this process. )

    • Enforcement Type —  Select one of the below enforcement options:

      • No Action — No rights enforcement action occurs.

      • Projection with No Enforcement — Adds people to Resource Role Groups in EmpowerID, but does not grant these permissions on the server.

      • Projection with Enforcement — Adds people to Resource Role Groups in EmpowerID and grants the roles to the Resource Role Groups. This is the recommended setting.

      • Projection with Strict Enforcement — This removes any assignments to groups that occur outside of EmpowerID. If someone is added to a group independently of EmpowerID, they are removed from the group by EmpowerID.

    • Rights Enforcement Enabled — Select to enable the chosen enforcement on the file server

    • Schedule — Click the Start and End fields and select the desired start and end date for enforcement.

    • Interval — Select how often you want the enforcement job to run against the file server.

  10. Click Save.