Solved

Traverse and Directory Permissions

Posted on 2008-10-17
3
707 Views
Last Modified: 2012-05-05
On one of my servers, I have a "Data" share.  "Domain Users" have full access to the share.  On the share I have department directories set up.  Users are all put into department global group, and each group has full access to the respective department directory.  Here's the dilema, and I have searched all over for this one:  Each department directory has a "Share".  I would like "Domain Users" to have read/write access to each of the department shared, but not see the files or other directories within those departments (with the exception of their own department).  

In the following example, I would like the FINANCE global group to have access to \FIN and below, while the Domain Users should have access to the \FIN\SHARED folder, while not seeing any of the files or other folders within \FIN.  I would follow this procedure for every department, and then create on \SHARED directory at the root for the entire company to share.  

\FIN
\FIN\SHARED

In the Novell world, this was a snap, but I cannot figure this out with Microsoft.  How can I accomplish the above without letting everyone see the files within the department directories?  I only want them to see the shared directories within other departments.  I have looked into "traverse", but that doesn't seem to be it.
0
Comment
Question by:Mark Webb
3 Comments
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 22745697
NTFS doesn't allow for this.
But Server 2003 SP1 or later has the functionality to enable this "hiding" feature for access through a share; it's called "Access Based Enumeration".
Check these links (and note that the *functionality* is already built-in since SP1, you're downloading/installing just the management GUI/command line tool):

Windows Server 2003 Access-based Enumeration
http://www.microsoft.com/downloads/details.aspx?FamilyID=04a563d9-78d9-4342-a485-b030ac442084&displaylang=en

Windows Server 2003 Access-based Enumeration
http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx

Implementing Access-Based Enumeration in Windows Server 2003 R2
http://www.windowsnetworking.com/articles_tutorials/Implementing-Access-Based-Enumeration-Windows-Server-2003.html
0
 
LVL 1

Expert Comment

by:KKVP
ID: 22749220
Hi,
     You can try this, Create a Root folder for share (Eg: USERSDATA) and Select 'Sharing and Security' and in 'Sharing' tab select 'Permissions', then remove Everyone and add Authenticated Users and assign 'Change' & 'Read Permissions'. Now u r finished with sharing the Main Folder.

    Now you Create a Folder (Eg:FINANCE) and a subfolder beneath it (Eg:SHARED).  Your requirement is that Finance Group People will have full access for both the folders and other Domain Users should be able to Read Write only the Subfolder, to acheive this,

1. Go to properties of FINANCE folder and select Security tab.
2. Go to Advanced and then uncheck "Allow inheritable permissions from the parent...."
3. Now select the Users(Domain\Users) --> Domain Users (if already available, else add it) and click Edit.
4. Select "This Folder Only" & Allow --> List Folder / Read Data option only (deselect other options if selected) and click OK.
5. Now add FINANCE GROUP and give them Full Control for "This Folder, Subfolder and files" and click OK till all the windows are closed.
6. Then go to SHARED folder and repeat step 1 & 2
7. Click on Add and select Users(Domain\Users) and check all permissions except "Full Control, Delete Subfolder and Files, Change Permissions & Take Ownership".

   Domain Users will be able to open the main folder (Finance) and can view the folder and files but cannot access it, they can read & write data in the sub folder (Shared).

   By all means if you dont want the datas in the main folder to be displayed other than Shared folder, please go ahead with MS Access Based Enumeration tool which has been suggested by oBdA

Regards,
KKVP
0
 

Author Closing Comment

by:Mark Webb
ID: 31507220
ABE is exactly what I was looking for.  Not only was it easy enough for me to understand and implement, but my users are thrilled at what they see, and more importantly what they don't have to weed through anymore.  THANKS
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now