Giving permissions to a folder without having to give permissions to parent folder

Suppose that I have the following folder structure on a shared Win2k server volume in my enterprise:

E:
    \Sales
        \Export
        \National
    \Purchasing
    \Financial
    \Chairmanship
    \Accounting
    \Development
    \Public

First, I share E:, and give full control of the shared resource to Everyone.

Then, I give full control for E: (root) and all subfolders and files only for Administrators.
At this point, regular users will be unable even to see the contents of the share.

Imagine that I have some User Groups corresponding to my enterprise departments (Export Sales, National Sales, Purchasing, Financial, Chairmanship, Accounting and Development)

I want to grant full access to User Groups ONLY INSIDE the corresponding folder and ONLY INSIDE the Public folder. I don't want my regular groups able to delete or rename its department folder, and I don't want they even to know the existence of other department folders in this share.

For example, Purchasing users must see only the following structure:

\\MYSERVER\MYSHARE
   \Purchasing
      File1
      File2
      File3
   \Public
      File1
      File2
      File3

Note that these users will not able to see the existence of any other file or folder at share root.

The Export Sales group must have only the following structure:

\\MYSERVER\MYSHARE
    \Sales
        \Export
            File1
            File2
            File3
    \Public
        File1
        File2
        File3

They don't see the files and other folders inside the Sales folder, neither on the root.

By other hand, the "Sales Boss" must see all the contents of Sales.

I think you got the point.

In a Novell server, if I grant any permission to the Export folder for example, the user will automatically have read permission to the entire path to reach this folder. At Win2k, it seems to be "slightly" different.

Which is the more clean, comprehensible and clever method to do that, without having to loose my hair micromanipulating permissions?

Thanks by advance.
emicolAsked:
Who is Participating?
 
SysExpertConnect With a Mentor Commented:
Tough one.


In NT/2K it is probbly best to start at the highest level and set the inheritance to trickle down.

Give all the users that need acces at the top level and down ( ie managers0.
Then at each subdir, add in the other groups that need access and have inheritance trickle down also.

The problem is that you also have to account for all the previous permissions also, so you need to have all the permissions listed somewhere for each folder.
It is definitely not as easy as in Novell.
There are some third party tools that can help.


1) See the win2k resource kit.

2)
http://www.sysinternals.com/
http://www.systemtools.com/
http://www.winternals.com
 www.bhs.com
http://www.sunbelt-software.com/search_category.cfm
www.optimumx.com

There are also tools for printing out the resultant permissions to see if it the way you want.

I hope this helps !
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Keep in mind that assuming you grant the appropriate permissions, users are going to see the folders.  They won't be able to access anything but what you grant them permission to access, but they are going to see the folders.
0
 
emicolAuthor Commented:
SysExpert, the utilities I found are great, specially Hyena will help me a lot. I will perform some tests, lets see if I can take it as a answer.

Leew, I see what you are saying, but, in my example, the Exporting Department will be able to read (and copy) files contained in folder "Sales" (the parent folder). This is what I don't want. I tryied to play with the advanced permissions, but, if I don't grant "dir listing" permission to "Sales", the Exporting users will not be able to reach the "Export" folder. This is only one of the problems.

The permission inheritance on Win2k is very, very complicated.

I thought about sharing to user only the folder where he must put his things, but I will have to do it user by user. It is possible, thru login script or something, to map a share to the group?
0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

 
SysExpertCommented:
You can define a default Folder for each user, which only he can access, but it is NOT a share.
This is done in the Add USer  section of the User manager.

I hope this helps !
0
 
schmieguConnect With a Mentor Commented:
In WinNT (and 2k) there is the possibility to traverse folders. So you can access a file/folder without having rights to folders above. This means, you can e.g. access \\server\share\dir1\dir11\xy.txt without having rights to dir1.

The problem is, you cannot browse to the folder.

I'd try this: set the share permissions to everyone full access and all subdirs with the appropriate NTFS-permissions. Let all users map this share as e.g. H:

then create a shortcut with the following cmdline:
Explorer.exe /e,/root,h:\dir1\dir11

This should open a folder/explorer window from dir11 and subdirs without any other folder above.

Note: this command doesn't work with unc-paths
0
 
netwiz562Commented:
---- CLEAN UP ----

emicol,
No comment has been added lately (452 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: [ Delete/No Refund ]

Please leave any comments here within the next seven days.

¡PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

------------------------------
Rajiv Makhijani
EE Cleanup Volunteer
0
 
SysExpertCommented:
I contributed quite a bit here.

0
 
netwiz562Commented:
SysExpert,
Thanks for replying, it really helps to have input from the experts in clean-ups.  After reviewing the question I have decided to modify my recommendation to split between you and schmiegu.  Is this ok with you?

------CLEANUP REVISION------

REVISED RECOMMENDATION: [Split: SysExpert & schmiegu]



Thanks,
Rajiv Makhijani
EE Cleanup Volunteer
0
 
SysExpertCommented:
Fine with me.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.