Windows Server 2008 - File structure problem - folders only show to those with rights to access/modify contents

Posted on 2011-04-24
Last Modified: 2012-05-11
I am creating a new file stucture on Windows Server 2008.

Background Information
I have created a new root folder called "PDrive" and have shared the folder with a share name of "PDrive" and the following permissions have been set:

SYSTEM - full control
Domain Users - Read & execute
Administrators - full control

I have created three sub folders (let's call them Administration, Projects, Shared Resources), all are NOT inheriting rights, but have the same rights as the root folder (this was done via the 'copy' option of the parent folder rights when deselecting 'include inheritable permissions from this object's parent' on the sub folders)

Each of the three sub folders has a number of business unit sub folders.

One of these folders 'Administration' is designed to house restricted sub folders.  One of these subfolders is called "Finance" and has the following permissions:

SYSTEM - full control
Administrators - full control
Finance-grp - modify

You will note that 'Domain Users' do not have any permissions like the root and first level sub folders above.  This is to restrict access only the 'Finance-grp' and the system/adminisrators groups for access/backup purposes.

The problem
The "Finance" folder is only visible in the file structure to users of the 'Finance-grp' and system/administrators.  If a non 'Finance-grp' user navigates into the parent folder 'Administration', they do not see the 'Finance' folder.  It is effectively as if it doesn't exist.

I would like the situation (which I am used to), whereby all users can see all folders, but only users with view/modify etc rights can access the said folder "Finance".  Users without rights would get an "access denied" message.

Is this problem something to do with Windows Server 2008 or the way in which I have applied security rights?  How can I rectify this problem?  

I understand that non-allowed users not being able to see the "Finance" folder may provide for added security, however we want all staff to be able to see all folders available through the whole structure (level one and two) regardless of whether or not they actually have access to the folder.  

Interestingly our existing file server structure works fine on the same windows 2008 server, however this was setup sometime ago during a SBS2003 to Server 2008 migration, so I am not sure if there is any difference between the two?  Both sets of folders (current and new file stuctures) are sitting within the 'Company' folder which I understand is a linkback to the SBS2003 days.

Any suggestions or advice are appreciated....
Many thanks

Question by:PAhelptech
    LVL 12

    Expert Comment

    Generally, the following ACL would need to added to the folders you want the users to see. I believe only the "List folder" one is required, but I'm including all of these as this is what I generally see used.

    List folder / read data
    Read attributes
    Read permissions

    This needs to be added on "This folder only" (under the advanced security settings). This should allow the user(s)/group(s) to see the folder and read the basic attributes of it, but will maintain the security of the items within it.

    Author Comment

    Dear Geowrian,

    Thanks for your reply.

    I applied the three security options you suggested to "This folder only", however the folder still didn't appear.  I added 'Read extended attributes' to your three and then it did show the folder, however when I double clicked the folder instead of getting "access denied" or similar I got a message within the explorer view of the folder saying "this folder is empty".

    I had really hoped for the "access denied" message.  Do you know why this isn't occuring?  I realise the items within are being protected, however a strong blunt "Access denied" is normal to see.  "This folder is empty" is a bit too ambiguous to end users.

    LVL 5

    Expert Comment

    Yes I think you will need to give list folder access for them to see the contents.
    LVL 12

    Expert Comment

    No problem. Hmm...I'm not getting that on my side, but I'm doing it on server 2003 over here. Maybe somebody with a similar Server 2008 setup can chime in.
    LVL 8

    Accepted Solution

    In 2008 it is a function called Access Based Enumeration that stops users seeing shares that they don't have rights to.  You can turn it off in the "Share and Storage Management" MMC.  See link below:


    Author Closing Comment

    Thank you very much tonyperth!

    Access-based enumeration was enabled.  I disabled the function following the general gist of the instructions on the link provided, and now all folders are showing to the end users.  If the end user clicks a folder for which they don't have access rights they receive "Access is Denied" message.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    In this article my aim is to list down the tools that are important for a Windows System Administrator (The Must Have!!) 1) The Basic: First of all the basics Ping, telnet, traceroute, whois net and netstat one must be familiar to these tools as…
    How can you create a game plan that lets you focus on special projects instead of running from cubicle to cubicle every day and feeling like you’ve accomplished nothing? Try these strategies for prioritizing your tasks, offloading what you can, and …
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now