Solved

Traverse and Directory Permissions

Posted on 2008-10-17
3
700 Views
Last Modified: 2012-05-05
On one of my servers, I have a "Data" share.  "Domain Users" have full access to the share.  On the share I have department directories set up.  Users are all put into department global group, and each group has full access to the respective department directory.  Here's the dilema, and I have searched all over for this one:  Each department directory has a "Share".  I would like "Domain Users" to have read/write access to each of the department shared, but not see the files or other directories within those departments (with the exception of their own department).  

In the following example, I would like the FINANCE global group to have access to \FIN and below, while the Domain Users should have access to the \FIN\SHARED folder, while not seeing any of the files or other folders within \FIN.  I would follow this procedure for every department, and then create on \SHARED directory at the root for the entire company to share.  

\FIN
\FIN\SHARED

In the Novell world, this was a snap, but I cannot figure this out with Microsoft.  How can I accomplish the above without letting everyone see the files within the department directories?  I only want them to see the shared directories within other departments.  I have looked into "traverse", but that doesn't seem to be it.
0
Comment
Question by:Mark Webb
3 Comments
 
LVL 82

Accepted Solution

by:
oBdA earned 500 total points
Comment Utility
NTFS doesn't allow for this.
But Server 2003 SP1 or later has the functionality to enable this "hiding" feature for access through a share; it's called "Access Based Enumeration".
Check these links (and note that the *functionality* is already built-in since SP1, you're downloading/installing just the management GUI/command line tool):

Windows Server 2003 Access-based Enumeration
http://www.microsoft.com/downloads/details.aspx?FamilyID=04a563d9-78d9-4342-a485-b030ac442084&displaylang=en

Windows Server 2003 Access-based Enumeration
http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx

Implementing Access-Based Enumeration in Windows Server 2003 R2
http://www.windowsnetworking.com/articles_tutorials/Implementing-Access-Based-Enumeration-Windows-Server-2003.html
0
 
LVL 1

Expert Comment

by:KKVP
Comment Utility
Hi,
     You can try this, Create a Root folder for share (Eg: USERSDATA) and Select 'Sharing and Security' and in 'Sharing' tab select 'Permissions', then remove Everyone and add Authenticated Users and assign 'Change' & 'Read Permissions'. Now u r finished with sharing the Main Folder.

    Now you Create a Folder (Eg:FINANCE) and a subfolder beneath it (Eg:SHARED).  Your requirement is that Finance Group People will have full access for both the folders and other Domain Users should be able to Read Write only the Subfolder, to acheive this,

1. Go to properties of FINANCE folder and select Security tab.
2. Go to Advanced and then uncheck "Allow inheritable permissions from the parent...."
3. Now select the Users(Domain\Users) --> Domain Users (if already available, else add it) and click Edit.
4. Select "This Folder Only" & Allow --> List Folder / Read Data option only (deselect other options if selected) and click OK.
5. Now add FINANCE GROUP and give them Full Control for "This Folder, Subfolder and files" and click OK till all the windows are closed.
6. Then go to SHARED folder and repeat step 1 & 2
7. Click on Add and select Users(Domain\Users) and check all permissions except "Full Control, Delete Subfolder and Files, Change Permissions & Take Ownership".

   Domain Users will be able to open the main folder (Finance) and can view the folder and files but cannot access it, they can read & write data in the sub folder (Shared).

   By all means if you dont want the datas in the main folder to be displayed other than Shared folder, please go ahead with MS Access Based Enumeration tool which has been suggested by oBdA

Regards,
KKVP
0
 

Author Closing Comment

by:Mark Webb
Comment Utility
ABE is exactly what I was looking for.  Not only was it easy enough for me to understand and implement, but my users are thrilled at what they see, and more importantly what they don't have to weed through anymore.  THANKS
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now