Solved

Giving permissions to a folder without having to give permissions to parent folder

Posted on 2002-07-07
9
256 Views
Last Modified: 2010-04-13
Suppose that I have the following folder structure on a shared Win2k server volume in my enterprise:

E:
    \Sales
        \Export
        \National
    \Purchasing
    \Financial
    \Chairmanship
    \Accounting
    \Development
    \Public

First, I share E:, and give full control of the shared resource to Everyone.

Then, I give full control for E: (root) and all subfolders and files only for Administrators.
At this point, regular users will be unable even to see the contents of the share.

Imagine that I have some User Groups corresponding to my enterprise departments (Export Sales, National Sales, Purchasing, Financial, Chairmanship, Accounting and Development)

I want to grant full access to User Groups ONLY INSIDE the corresponding folder and ONLY INSIDE the Public folder. I don't want my regular groups able to delete or rename its department folder, and I don't want they even to know the existence of other department folders in this share.

For example, Purchasing users must see only the following structure:

\\MYSERVER\MYSHARE
   \Purchasing
      File1
      File2
      File3
   \Public
      File1
      File2
      File3

Note that these users will not able to see the existence of any other file or folder at share root.

The Export Sales group must have only the following structure:

\\MYSERVER\MYSHARE
    \Sales
        \Export
            File1
            File2
            File3
    \Public
        File1
        File2
        File3

They don't see the files and other folders inside the Sales folder, neither on the root.

By other hand, the "Sales Boss" must see all the contents of Sales.

I think you got the point.

In a Novell server, if I grant any permission to the Export folder for example, the user will automatically have read permission to the entire path to reach this folder. At Win2k, it seems to be "slightly" different.

Which is the more clean, comprehensible and clever method to do that, without having to loose my hair micromanipulating permissions?

Thanks by advance.
0
Comment
Question by:emicol
9 Comments
 
LVL 63

Accepted Solution

by:
SysExpert earned 50 total points
ID: 7135568
Tough one.


In NT/2K it is probbly best to start at the highest level and set the inheritance to trickle down.

Give all the users that need acces at the top level and down ( ie managers0.
Then at each subdir, add in the other groups that need access and have inheritance trickle down also.

The problem is that you also have to account for all the previous permissions also, so you need to have all the permissions listed somewhere for each folder.
It is definitely not as easy as in Novell.
There are some third party tools that can help.


1) See the win2k resource kit.

2)
http://www.sysinternals.com/
http://www.systemtools.com/
http://www.winternals.com
 www.bhs.com
http://www.sunbelt-software.com/search_category.cfm
www.optimumx.com

There are also tools for printing out the resultant permissions to see if it the way you want.

I hope this helps !
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 7135954
Keep in mind that assuming you grant the appropriate permissions, users are going to see the folders.  They won't be able to access anything but what you grant them permission to access, but they are going to see the folders.
0
 

Author Comment

by:emicol
ID: 7137499
SysExpert, the utilities I found are great, specially Hyena will help me a lot. I will perform some tests, lets see if I can take it as a answer.

Leew, I see what you are saying, but, in my example, the Exporting Department will be able to read (and copy) files contained in folder "Sales" (the parent folder). This is what I don't want. I tryied to play with the advanced permissions, but, if I don't grant "dir listing" permission to "Sales", the Exporting users will not be able to reach the "Export" folder. This is only one of the problems.

The permission inheritance on Win2k is very, very complicated.

I thought about sharing to user only the folder where he must put his things, but I will have to do it user by user. It is possible, thru login script or something, to map a share to the group?
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 7139189
You can define a default Folder for each user, which only he can access, but it is NOT a share.
This is done in the Add USer  section of the User manager.

I hope this helps !
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 9

Assisted Solution

by:schmiegu
schmiegu earned 50 total points
ID: 7140089
In WinNT (and 2k) there is the possibility to traverse folders. So you can access a file/folder without having rights to folders above. This means, you can e.g. access \\server\share\dir1\dir11\xy.txt without having rights to dir1.

The problem is, you cannot browse to the folder.

I'd try this: set the share permissions to everyone full access and all subdirs with the appropriate NTFS-permissions. Let all users map this share as e.g. H:

then create a shortcut with the following cmdline:
Explorer.exe /e,/root,h:\dir1\dir11

This should open a folder/explorer window from dir11 and subdirs without any other folder above.

Note: this command doesn't work with unc-paths
0
 
LVL 1

Expert Comment

by:netwiz562
ID: 9492420
---- CLEAN UP ----

emicol,
No comment has been added lately (452 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: [ Delete/No Refund ]

Please leave any comments here within the next seven days.

¡PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

------------------------------
Rajiv Makhijani
EE Cleanup Volunteer
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 9536691
I contributed quite a bit here.

0
 
LVL 1

Expert Comment

by:netwiz562
ID: 9538450
SysExpert,
Thanks for replying, it really helps to have input from the experts in clean-ups.  After reviewing the question I have decided to modify my recommendation to split between you and schmiegu.  Is this ok with you?

------CLEANUP REVISION------

REVISED RECOMMENDATION: [Split: SysExpert & schmiegu]



Thanks,
Rajiv Makhijani
EE Cleanup Volunteer
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 9577964
Fine with me.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A Short Story about the Best File Recovery Software – Acronis True Image 2017
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now