Solved

Traverse and Directory Permissions

Posted on 2008-10-17
3
722 Views
Last Modified: 2012-05-05
On one of my servers, I have a "Data" share.  "Domain Users" have full access to the share.  On the share I have department directories set up.  Users are all put into department global group, and each group has full access to the respective department directory.  Here's the dilema, and I have searched all over for this one:  Each department directory has a "Share".  I would like "Domain Users" to have read/write access to each of the department shared, but not see the files or other directories within those departments (with the exception of their own department).  

In the following example, I would like the FINANCE global group to have access to \FIN and below, while the Domain Users should have access to the \FIN\SHARED folder, while not seeing any of the files or other folders within \FIN.  I would follow this procedure for every department, and then create on \SHARED directory at the root for the entire company to share.  

\FIN
\FIN\SHARED

In the Novell world, this was a snap, but I cannot figure this out with Microsoft.  How can I accomplish the above without letting everyone see the files within the department directories?  I only want them to see the shared directories within other departments.  I have looked into "traverse", but that doesn't seem to be it.
0
Comment
Question by:Mark Webb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 22745697
NTFS doesn't allow for this.
But Server 2003 SP1 or later has the functionality to enable this "hiding" feature for access through a share; it's called "Access Based Enumeration".
Check these links (and note that the *functionality* is already built-in since SP1, you're downloading/installing just the management GUI/command line tool):

Windows Server 2003 Access-based Enumeration
http://www.microsoft.com/downloads/details.aspx?FamilyID=04a563d9-78d9-4342-a485-b030ac442084&displaylang=en

Windows Server 2003 Access-based Enumeration
http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx

Implementing Access-Based Enumeration in Windows Server 2003 R2
http://www.windowsnetworking.com/articles_tutorials/Implementing-Access-Based-Enumeration-Windows-Server-2003.html
0
 
LVL 1

Expert Comment

by:KKVP
ID: 22749220
Hi,
     You can try this, Create a Root folder for share (Eg: USERSDATA) and Select 'Sharing and Security' and in 'Sharing' tab select 'Permissions', then remove Everyone and add Authenticated Users and assign 'Change' & 'Read Permissions'. Now u r finished with sharing the Main Folder.

    Now you Create a Folder (Eg:FINANCE) and a subfolder beneath it (Eg:SHARED).  Your requirement is that Finance Group People will have full access for both the folders and other Domain Users should be able to Read Write only the Subfolder, to acheive this,

1. Go to properties of FINANCE folder and select Security tab.
2. Go to Advanced and then uncheck "Allow inheritable permissions from the parent...."
3. Now select the Users(Domain\Users) --> Domain Users (if already available, else add it) and click Edit.
4. Select "This Folder Only" & Allow --> List Folder / Read Data option only (deselect other options if selected) and click OK.
5. Now add FINANCE GROUP and give them Full Control for "This Folder, Subfolder and files" and click OK till all the windows are closed.
6. Then go to SHARED folder and repeat step 1 & 2
7. Click on Add and select Users(Domain\Users) and check all permissions except "Full Control, Delete Subfolder and Files, Change Permissions & Take Ownership".

   Domain Users will be able to open the main folder (Finance) and can view the folder and files but cannot access it, they can read & write data in the sub folder (Shared).

   By all means if you dont want the datas in the main folder to be displayed other than Shared folder, please go ahead with MS Access Based Enumeration tool which has been suggested by oBdA

Regards,
KKVP
0
 

Author Closing Comment

by:Mark Webb
ID: 31507220
ABE is exactly what I was looking for.  Not only was it easy enough for me to understand and implement, but my users are thrilled at what they see, and more importantly what they don't have to weed through anymore.  THANKS
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question