Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Using access based enumeration on shared folders.  Permissions required?

Posted on 2007-03-21
7
673 Views
Last Modified: 2008-01-09
I have a windows 2003 AD/domain environment.  The structure that I'm trying to create is to have a folder called "shared" with departmental directories underneath it.  For example \\server\shared\marketing, \\server\shared\finance, and \\server\shared\everyone.  The key is, I want to map all users to \\server\shared and have them only be able to "see" the folders underneath that they have access to - which I will grant via group objects.  For example a user in the finance group would be able to access \\server\shared\finance - but wouldn't even be able to see \\server\shared\marketing.

I've downloaded and enabled access based enumeration already on this folder.

I'm looking for the correct permission and share settings to make the above possible.

Your thoughts?

0
Comment
Question by:mikeshaver
7 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18767506
have a check through this guide - these guys are pretty good at explaining most concepts
http://www.windowsnetworking.com/articles_tutorials/Implementing-Access-Based-Enumeration-Windows-Server-2003.html
0
 
LVL 51

Expert Comment

by:Netman66
ID: 18767724
You'd set it up as if you weren't using ABE.

Same share and ntfs permissions apply.  The only difference is they can only see what they have permissions to.

0
 
LVL 1

Author Comment

by:mikeshaver
ID: 18767804
Jay: Thanks, but that is exactly what I've already done.  

Netman:  I'm with you on this one, but I assume I don't have the share and security permissions correct.  

What is happening now is I have given rights to "read" at the \\server\shared\ folder to all my users.  This enables them to click on the \\server\shared folder without getting an "access denied" message.  However, the access is permeating down to all folders within the \\server\shared folder.  So if a user goes to \\server\shared folder, they see all the folders beneath it.  This is exactly what I do NOT want.

I don't really want to individually share out every subfolder in the \\server\shared folder...but is that what I need to do?  Should I share them, then enable ABE on every subfolder?

0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 19

Accepted Solution

by:
aissim earned 250 total points
ID: 18767925
You should go to each folder underneath the shared folder (finance, marketing, etc.) - go to the security tab, click the Advanced button, then uncheck the "Allow inheritable permissions from the parent to propogate to this object...". You'll be prompted to Copy or Remove the current, inherited, permissions - I recommend copying them and then back on the Security tab adjusting the ACL to your departmental needs.

At this point they won't be able to see folders they don't have access to. Good luck!
0
 
LVL 51

Expert Comment

by:Netman66
ID: 18770260
Share permissions = Authenticated Users - Full Control.
NTFS permissions = Administrators, SYSTEM = Full Control
                               Authenticated Users = Modify

Sub folders to be set as you normally would.

Since users need to be able to Modify their own stuff, then Inheritance should be allowed - just tighten up the security on the top level departmental folders so people can't delete things they shouldn't.

0
 
LVL 1

Author Comment

by:mikeshaver
ID: 18783381
Thanks guys.  I am off for a week but I will try this when I return and report back.

Mike
0
 
LVL 1

Author Comment

by:mikeshaver
ID: 19103213
Thanks everyone.

I ended up sharing out the "top level" called Shared to Authenticated users and the Administrators Group.  Then at each sub folder I set the permissions to whatever group required the access.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question