Departmental File Share (s.sfsu.edu) Guide

The departmental file share, s.sfsu.edu, should be used for documents that should not be lost if an employee separates from the university. Each unit on campus has a share on s.sfsu.edu. Access to individual shares and folders is controlled by Active Directory security groups. Security groups are managed locally by each unit via the campus gateway. For information on other storage options, please see the File Storage Guide.

 

 


How Do I:

Connect to a Share

Windows

  1. Open Windows File Explorer
  2. In the list of locations, right click Computer/My Computer/My PC
  3. Select Map Network Drive
  4. In the Folder field enter: \\s.sfsu.edu\[your share]
  5. If your computer is NOT joined to AD, select Connect using different credentials
  6. Select Finish. If your computer is joined to AD, it will automatically pass your credentials and log you in. If you are not joined to AD, you will need to provide your credentials, in the form of:
    Login: [SF State ID]@sfsu (e.g., 900000000@sfsu)
    Password: SF State password

Map Network Share

Macintosh

  1. In Finder, select the Go menu, and choose Connect to Server
  2. Enter the server address: smb://s.sfsu.edu
  3. Click Connect
  4. When prompted, select Registered User and enter your SF State ID and Password in the Name and Password fieldsName and Password Fields
  5. Select the share (volume) you wish to connect to and click OK. The folder will now appear in the finder
  6. Optional: View the share folder on the desktop:
    • With the Finder still active select Finder > Preferences
    • On the General tab check Connected Servers
    • Close Finder Preferences

 

Check Share Quota

 

In Windows, connect to your share. Right click on the drive and select Properties. Under the General tab, it will show you the used and free space available.

Initial quota size for each Departmental Share is set to 2 TB. Upon request the quota can be increased. To request the same, please submit a Service Request to the Systems Team with a Cc. to the Associate Vice President & Chief Technology Officer, Information Technology Services (ITS). The Service Request must include business justification for the increase in quota size and should be submitted by the Department Head (MPP level or above).

 

 

Advanced Users

Manage Group Membership via the SF State Gateway

Delegated administrators and subfolder administrators are responsible for the adding and removing of users from the security groups they administer. Using the gateway (https://gateway.sfsu.edu):

  1. Select IT Services
  2. In the Security Groups section, locate the group you wish to edit and click Edit
  3. To add user(s):
    1. Enter their SF State e-mail address in the Add Member(s) box, separate multiple addresses with a semi-colon
    2. Click Add Member(s)
  4. To remove user(s):
    1. Find the users email address in the list and click the Remove link
  5. When finished, click Save to save your changes

 

Recover Data

Daily snapshots of files are created between midnight and 1:00 a.m. The snapshots are retained for 60 days. To recover a lost or corrupted file or folder:

  1. Using Windows File Explorer, locate the parent folder containing the missing/damaged items
  2. Right click the folder and select Properties
  3. Select the Previous Versions tab
  4. Highlight the folder/date to which you want to restore
  5. To overwrite the existing folder with the previous version, click Restore and approve the destruction of the current folder
  6. To restore just a file or to create a backup of the previous folder contents, click Open and copy the temporary folder contents to a new location

 

Retention Schedules

Records should be retained for only as long as they are valid, useful, and required to be retained. All data uploaded should follow existing CSU policy and executive orders regarding Records Retention and Disposition Schedules.

Please see section 4 of the Student Privacy Rights Policy and Procedure for Student Records Retention policy, and the CSU Records Retention & Disposition Schedules for the following areas:

  • Personnel/Payroll
  • Fiscal
  • Environmental Health and Safety
  • Student Records
  • Facilities
  • University Police
  • University Advancement
  • Academic Personnel
  • Curriculum & Accreditation
  • Research & Sponsored Programs
  • Institutional Records

 

Business Continuity and Disaster Recovery

For Departmental Shares:

  • Daily snapshots of files are created between midnight and 1:00 a.m.
  • 60 daily snapshots are available
  • Snapshots are copied off-site for disaster recovery

 

Delegated Administrators

Create Groups

Security groups can be maintained either under the delegated organizational unit (OU) with ADUC (Active Directory Users and Computers), or under the Group OU with Gateway.

 

AD Security Group Naming Conventions

Portal maintained groups must follow this structure: SFS-s-"share"-"folder"-"subfolder"-"subsubfolder"- "access" where:

  • share is your top level share
  • folder is your sub-unit – netops, strategic, etc.
  • subfolder is your team or secondary unit, if you have one
  • subsubfolder is a folder in your area that you want to set more granular permissions on “access” is the type of access this group will grant:
  • access can be rw - read and write, ro - read only, or ls – list folders

Note that the separator for the group name is a dash “-“ and not an underscore “_”.

 

Create New Security Groups via Gateway

Open your web browser and go to the following URL: https://gateway.sfsu.edu/staff/IT-services. Log in and go to the Security Groups section. Click “Request New Group”.

 

Create new Security Groups

 

Enter in the Group ID (your group name, following the naming convention). The Display name should match the Group ID for file share groups. Check the File Share option for Use type. Mail enabled should be set to No. Enter in the email address of the primary person who will manage this group. Click “Submit”.

 

Security Group request

 

This process currently requires manual approval. A Footprints ticket will be created. Once approved, the group will be created and will be accessible through Gateway. After the group is created, edit the group and add in your designated alternate administrator.

 

Assign Folders to Groups

While creation and maintenance of groups and group membership can be done through Gateway, assignment of groups to folder permissions can only be performed via Windows.

 

To assign permissions, open File Explorer and navigate to the subfolder in the share that you want to change. Right click on it and choose Properties. Select the Security tab.

 

Testing Properties

 

Click Edit.

 

Permissions for Testing

 

To remove access for a group, select the group or user name and click Remove. To add a group, click Add and enter in the group name. Be sure to click the Check Names button to verivy the group exists. Click OK.

 

Select Users, Computer, Service Accounts or Groups

 

For a read only group, ensure that the only permissions checked for that group allow for “Read & execute”, “List folder contents”, and “Read”.

 

Permissions for folder

 

For an read and write group, ensure that Allow is checked for “Read & execute”, “List folder contents”, and “Read”. In addition, add Allow checks for “Modify” and “Write”.

 

Permissions for folder

 

 

Communicate Structure to Users

Storage for departments is managed through delegated administration. Top-level shares are assigned to a units based upon the university organization structure. The unit head assigns a delegated administrator and alternate to manage the top-level access and oversee storage use for the unit. The delegated administrator creates folders based upon organizational needs and associates security groups and permissions to the folders. The subfolder administrator manages group membership through the SF State Gateway. Delegated administrators can delegate some of their activities to subfolder administrators but must not give others top level access. Delegated unit administrators are responsible for communicating who is responsible for the unit’s roles.

Once assigned, the delegated administrator will perform the following functions for their department/unit:

  • Manage unit subfolders
  • Create AD groups following naming conventions
  • Update AD group managers upon employee separation
  • Assign groups to subfolders and set permissions
  • Assist with recovering files from snapshots
  • Communicate unit roles and responsibilities

 

Roles and Responsibilities

Roles and Responsibilities
Roles Responsibilities
ITS Systems
  • Manage unit delegated administrator permissions and quotas
ITS Help Desk
  • Provide support to delegated administrators
Unit head
  • Assigns delegated unit administrator and alternate
  • Update delegated unit administrator upon employee separation
Delegated unit administrator & alternate
  • Manage unit folders
  • Create AD groups following naming conventions
  • Update AD group managers upon employee separation
  • Assign groups to subfolders and set permissions
  • Assist with recovering files from snapshots
  • Communicate unit roles and responsibilities
Folder administrator & alternate
  • Manage unit subfolders
  • Add and remove group members using gateway.sfsu.edu
  • Update AD group membership upon employee separation
  • Manage list, read, and write subfolder access records
  • Manage subfolders and custom permissions
Subfolder administrator & alternate (optional)
  • Add and remove group members using gateway.sfsu.edu
  • Update AD group membership upon employee separation
  • Manage list, read, and write sub-subfolder access records
  • Manage sub-subfolders and custom permissions

 

Manage Membership Using Active Directory Users and Computers (ADUC)

The advanced user may prefer to use ADUC for group management. ADUC is part of the Windows Remote Systems Administrator tools. Download links for your appropriate client version, along with instructions, can be found here:  http://social.technet.microsoft.com/wiki/contents/articles/2202.remote-server-administration-tools-rsat-for-windows-client-and-windows-server-dsforum2wiki.aspx

 

Note: Before you can manage your groups with ADUC, they will need to have some parameters changed. This is a limitation of the way Gateway creates the groups. A more streamlined solution is being investigated.

 

Once you start ADUC, navigate to ad.sfsu.edu\Groups\Resources\Shares\ and you will see the file share groups. Double click on the group you want to modify, click on the “Members” tab and you’ll see a list of all members in that group. Use the “Add” and “Remove” buttons below as desired. More advanced functionality, like nesting of groups, can only be done here.

 

SFS Properties

 

Litigation Holds

SF State reserves the right to remove, inspect and audit uploaded files without notice as part of its routine maintenance and for matters that affect the security of SF State data. Accounts may be suspended in the event of litigation or subpoena. Typically any data subject to a litigation hold or subpoena is copied, so that shared use of the data in question can continue without interruption to work processes.