A complete scan to folder setup for Windows Active Directory environments
From the file server side to the MFP side — the share, the AD service account, the SMB version negotiation, and the per-user destination logic that makes scan-to-folder work reliably in 2026.
Scan-to-folder is one of the most-used MFP features in office environments and one of the most fragile when configured carelessly. Windows tightened SMB security through 2023-2025 (deprecation of SMB1, mandatory signing, encryption requirements in some scenarios), breaking many MFP configurations that worked for years. This guide walks through the configuration that works on current Windows Server and AD environments — the share permissions, the service account, the MFP-side configuration, and the gotchas that consume IT time.
The three-component architecture
What you are building
File Server (Windows Server 2019+) ├── SMB share: \\fileserver\Scans │ ├── NTFS folder: D:\Shares\Scans │ ├── Share permission: SCAN-MFP-Users → Change │ └── NTFS permission: SCAN-MFP-Users → Modify │ Service Account ├── AD user: svc-mfp-scan (password-never-expires) ├── Member of: SCAN-MFP-Users group └── No interactive logon rights (recommended) │ MFP ├── SMB destination: \\fileserver\Scans ├── Credentials: svc-mfp-scan ├── SMB version: 3.0 (preferred) or 2.1 minimum └── Per-user subfolder logic: optional
Step-by-step setup
Create the destination folder and SMB share on the file server
On the Windows file server, create a folder at D:\Shares\Scans (path of your choice). Right-click → Properties → Sharing → Advanced Sharing. Share the folder as Scans with caching disabled (caching causes scan-to-folder to misbehave).
Create the service account in AD
In Active Directory Users and Computers, create a user account svc-mfp-scan. Set password-never-expires, deny interactive logon (Properties → Account → "Smart card is required" effectively, or use a GPO restricting logon types). Document the account in the office's privileged account inventory.
Create the security group for scan access
Create an AD security group SCAN-MFP-Users. Add the service account to this group. If using per-user destinations, also add the user accounts of staff who will scan.
Configure share permissions
On the Scans share Properties → Sharing → Advanced → Permissions: remove Everyone, add SCAN-MFP-Users with Change permission (not Full Control — Modify-equivalent is sufficient).
Configure NTFS permissions
Properties → Security tab: remove inherited permissions if necessary, add SCAN-MFP-Users with Modify permission. The combination of Share=Change and NTFS=Modify produces effective Modify at the share level — sufficient for write and read but not delete-everything.
Verify SMB version compatibility
Run Get-SmbServerConfiguration on the file server PowerShell. Confirm SMB2 is enabled (it is by default). Do NOT enable SMB1 — it is deprecated and insecure. Most modern MFPs support SMB2 or SMB3; older devices may require firmware update.
Configure the MFP scan-to-folder destination
On the MFP web admin interface, scan-to-folder section, add a new destination. Type: SMB (Windows). Server: fileserver or IP. Share name: Scans. Username: DOMAIN\svc-mfp-scan or UPN format svc-mfp-scan@empresa.local. Password: the service account password. Domain: the AD domain name.
Test by sending a scan
From the device touchscreen, scan a page to the new destination. Verify the file appears in the Scans share with the expected naming. Open the file from a workstation to confirm it is intact.
Per-user subfolders pattern
Most offices want each user's scans to land in their own folder rather than a shared dump. Two patterns achieve this. The first is per-user destinations: each user has a scan-to-folder destination registered with their personal folder path. This requires per-user configuration but produces the cleanest separation. The second is dynamic path substitution: the MFP composes the path using the authenticated user's username, so \\fileserver\Scans\$USER resolves to \\fileserver\Scans\maria when Maria scans. Most enterprise MFPs support this substitution if user authentication is enabled.
For the dynamic pattern to work, the per-user subfolders must exist on the file server. Use a logon script or PowerShell to create them based on AD user enumeration: Get-ADGroupMember SCAN-MFP-Users | ForEach { New-Item -Path "D:\Shares\Scans\$($_.SamAccountName)" -ItemType Directory -Force }. Run this weekly to catch new users.
Permission scheme summary
SMB version troubleshooting
SMB1 is disabled by default on Windows Server 2019 and later, and Microsoft removed it entirely from Windows 11 Home. MFPs that only support SMB1 cannot scan to current Windows shares — either update the MFP firmware to add SMB2/SMB3 support or replace the device. To confirm what SMB version an MFP supports, check the device's documentation or the SMB option in the scan destination settings.
Some MFPs default to SMB1 even when SMB2 is available, producing connection failures against modern servers. Force SMB2 or SMB3 in the device's scan-to-folder configuration if the option is exposed. If the option is hidden, the firmware version may need updating.
Common scan-to-folder issues
What goes wrong
- "Login failed" with correct credentialsThe username format may be wrong. Try DOMAIN\username and user@domain.local variants. Some MFPs require one format specifically.
- Scan succeeds at device, no file appears on the sharePermissions issue or path typo. Check the file server's audit log to see whether the MFP authenticated and what it tried to write.
- File appears but is corruptedSMB negotiation failed mid-transfer. Force SMB2 or SMB3 in device settings; verify network stability between MFP and server.
- Filename has timestamp but original filename lostThis is the MFP's default naming. Configure filename template in scan settings to include the user, original name (if applicable), and timestamp.
- SMB connection fails with "Access denied" intermittentlyThe service account password may have changed or expired. Verify password-never-expires is set on the account.
- Per-user subfolder substitution does not workThe MFP may require explicit configuration to use the
$USERvariable. Check the device documentation for the correct variable syntax.
Audit and monitoring
Enable file access auditing on the Scans share to capture who scanned what and when. Windows file server auditing is configured via Group Policy → Computer Configuration → Windows Settings → Security Settings → Local Policies → Audit Policy → Audit object access. Then on the Scans folder Properties → Security → Advanced → Auditing tab, add audit entry for SCAN-MFP-Users with Modify success/failure. The events appear in the Security event log on the file server.
Audit logs answer "who scanned that confidential document last Tuesday" questions that come up surprisingly often in compliance and HR contexts. Without auditing, the question is unanswerable.
Backup and retention of scanned files
Treat the Scans share as part of the normal file server backup rotation. Scan files are work-in-progress documents the user typically moves elsewhere (to the DMS, to their personal folder, to email) within hours. A 30-day retention on the Scans share itself with daily backup catches the gap between scan time and the user processing the file.