?
Solved

Giving permissions to a folder without having to give permissions to parent folder

Posted on 2002-07-07
9
Medium Priority
?
273 Views
Last Modified: 2010-04-13
Suppose that I have the following folder structure on a shared Win2k server volume in my enterprise:

E:
    \Sales
        \Export
        \National
    \Purchasing
    \Financial
    \Chairmanship
    \Accounting
    \Development
    \Public

First, I share E:, and give full control of the shared resource to Everyone.

Then, I give full control for E: (root) and all subfolders and files only for Administrators.
At this point, regular users will be unable even to see the contents of the share.

Imagine that I have some User Groups corresponding to my enterprise departments (Export Sales, National Sales, Purchasing, Financial, Chairmanship, Accounting and Development)

I want to grant full access to User Groups ONLY INSIDE the corresponding folder and ONLY INSIDE the Public folder. I don't want my regular groups able to delete or rename its department folder, and I don't want they even to know the existence of other department folders in this share.

For example, Purchasing users must see only the following structure:

\\MYSERVER\MYSHARE
   \Purchasing
      File1
      File2
      File3
   \Public
      File1
      File2
      File3

Note that these users will not able to see the existence of any other file or folder at share root.

The Export Sales group must have only the following structure:

\\MYSERVER\MYSHARE
    \Sales
        \Export
            File1
            File2
            File3
    \Public
        File1
        File2
        File3

They don't see the files and other folders inside the Sales folder, neither on the root.

By other hand, the "Sales Boss" must see all the contents of Sales.

I think you got the point.

In a Novell server, if I grant any permission to the Export folder for example, the user will automatically have read permission to the entire path to reach this folder. At Win2k, it seems to be "slightly" different.

Which is the more clean, comprehensible and clever method to do that, without having to loose my hair micromanipulating permissions?

Thanks by advance.
0
Comment
Question by:emicol
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 63

Accepted Solution

by:
SysExpert earned 200 total points
ID: 7135568
Tough one.


In NT/2K it is probbly best to start at the highest level and set the inheritance to trickle down.

Give all the users that need acces at the top level and down ( ie managers0.
Then at each subdir, add in the other groups that need access and have inheritance trickle down also.

The problem is that you also have to account for all the previous permissions also, so you need to have all the permissions listed somewhere for each folder.
It is definitely not as easy as in Novell.
There are some third party tools that can help.


1) See the win2k resource kit.

2)
http://www.sysinternals.com/
http://www.systemtools.com/
http://www.winternals.com
 www.bhs.com
http://www.sunbelt-software.com/search_category.cfm
www.optimumx.com

There are also tools for printing out the resultant permissions to see if it the way you want.

I hope this helps !
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 7135954
Keep in mind that assuming you grant the appropriate permissions, users are going to see the folders.  They won't be able to access anything but what you grant them permission to access, but they are going to see the folders.
0
 

Author Comment

by:emicol
ID: 7137499
SysExpert, the utilities I found are great, specially Hyena will help me a lot. I will perform some tests, lets see if I can take it as a answer.

Leew, I see what you are saying, but, in my example, the Exporting Department will be able to read (and copy) files contained in folder "Sales" (the parent folder). This is what I don't want. I tryied to play with the advanced permissions, but, if I don't grant "dir listing" permission to "Sales", the Exporting users will not be able to reach the "Export" folder. This is only one of the problems.

The permission inheritance on Win2k is very, very complicated.

I thought about sharing to user only the folder where he must put his things, but I will have to do it user by user. It is possible, thru login script or something, to map a share to the group?
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 63

Expert Comment

by:SysExpert
ID: 7139189
You can define a default Folder for each user, which only he can access, but it is NOT a share.
This is done in the Add USer  section of the User manager.

I hope this helps !
0
 
LVL 9

Assisted Solution

by:schmiegu
schmiegu earned 200 total points
ID: 7140089
In WinNT (and 2k) there is the possibility to traverse folders. So you can access a file/folder without having rights to folders above. This means, you can e.g. access \\server\share\dir1\dir11\xy.txt without having rights to dir1.

The problem is, you cannot browse to the folder.

I'd try this: set the share permissions to everyone full access and all subdirs with the appropriate NTFS-permissions. Let all users map this share as e.g. H:

then create a shortcut with the following cmdline:
Explorer.exe /e,/root,h:\dir1\dir11

This should open a folder/explorer window from dir11 and subdirs without any other folder above.

Note: this command doesn't work with unc-paths
0
 
LVL 1

Expert Comment

by:netwiz562
ID: 9492420
---- CLEAN UP ----

emicol,
No comment has been added lately (452 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: [ Delete/No Refund ]

Please leave any comments here within the next seven days.

¡PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

------------------------------
Rajiv Makhijani
EE Cleanup Volunteer
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 9536691
I contributed quite a bit here.

0
 
LVL 1

Expert Comment

by:netwiz562
ID: 9538450
SysExpert,
Thanks for replying, it really helps to have input from the experts in clean-ups.  After reviewing the question I have decided to modify my recommendation to split between you and schmiegu.  Is this ok with you?

------CLEANUP REVISION------

REVISED RECOMMENDATION: [Split: SysExpert & schmiegu]



Thanks,
Rajiv Makhijani
EE Cleanup Volunteer
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 9577964
Fine with me.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question