Access Based Enumeration (ABE) and down folder permissions
Posted on 2006-04-03
You have Windows 2003 with SP1 for server01. It has share1 with Access
Based Enumeration enabled. You have setup four departments with a
folder per department on the share and members of each department can
see their department's folder and work within that folder.
Access granted to: Theresa and Deb
Access granted to: Jeff and Andy
Access granted to: Mark
Access granted to: Kim and Carolyn
The Sales department is working on a new project that will require
Marketing's assistance. The Sales department has a folder in their
folder named "Projects".
They would like to create a folder named "2006 Campaign" and grant
Mark in Marketing access to use that folder.
Ideally you would like it so once they add the permissions the Sales
folder appears to Mark. Then Mark would be able to open the Sales
folder and only see the Projects folder. Inside that he would only see
the "2006 Campaign" folder. Can and how would this be achieved?
I have discovered a partial solution. If at the top level (either
share or each folder under the share) you add the "Everybody" or
"Domain Users" group and grant the "List Folder Contents"
option and then force that down it almost works. The users are then
able to see the files that they were granted access to. The problem is
they see all folders and the tree structure. In the scenario above
they would see every folder in every directory, whether they have
access to a file in that folder or not. I would like to "hide"
anything they have not been granted access to. So until Kim granted
Mark access to the "2006 Campaign" folder he would not have even
seen the Sales folder. Additionally, once she removed his access, the
Sales folder would disappear.
With Access Based Enumeration I would imagine this would be possible