NTFS Share Permissions issue

I am struggling to setup the correct permissions in Windows 2008R2 having moved our main fileserver files from old Novell Server.

I have a share \\fileserver\share1 in that share are folders eg:


The primary user of \\fileserver\share1 is our Health & Safety person and they have full access to read/write delete etc.

There is a Team of people who are responsible for writing reports and they need r/w access to several of the folders. There are others who need only read access to some of the folders (around 15 folders). The bulk of the folders (around 40 folders) are for the H&S person only and she adds/deletes new/old ones at a whim.

I setup the permissions on the NTFS share so that the group that needed RW access has it to the 12 folders they need RW access to. I setup the permissions so that the Read only group have read only access to the folders they need access to and the effective permissions confirm this. I've granted both groups traverse rights to the root folder \\fileserver\share1

My MAJOR issue is that the users cannot navigate to the root share. ie: They try to browse to \\fileserver\share1 and get access denied. Sure they can get to \\fileserver1\share1\folder12 etc but not to the root.

I don't want to grant list/read access to the root otherwise they can read everything in the entire share which is not what is required.

Do they really need to have 12-15 different shortcuts to the folders inside the share? Surely windows permissions has a means of saying you can traverse that folder so I'll open it and show you only what you are allowed to access?

Surely its not the case that the user has to have lots of shortcuts or need to remember the name and type the full path?

I have a similar problem with another folder \\fileserver\share2\documents\board meetings\reports

Now Share2 is the Chief Exec's share and he and his secretary have full rights to all the hundreds of folders in that heirarchy. He wants the senior management team to have write access to the reports folder which I've granted. They have traverse rights on the \\fileserver\share2

Now it works fine if the senior manager types the full path  \\fileserver\share2\documents\board meetings\reports in Start | Run box, then maps a drive letter there or drags and drops a file. However if they are in Word 2010 and click save as to save the report there they WANT to be able to goto \\fileserver\share2 and simply navigate down to documents\board meetings\reports However they are barred access to folders they cannot read it seems.

I think I have the permissions correct for reading/writing to the end (leaf) directory. What I cannot fathom is how to allow the users to navigate from the root to their desired folder.

Most users are on XP with a couple on Windows 7 in case that matters.
Who is Participating?
Just trying to help you, dude...
Let me try and clarify... By EVERYONE having the Bypass Traverse Checking right by default... means that you'd be setting the share folder permission to EVERYONE... which I know is not what you want.  .  Create a group of users you want to be able to traverse and add that group to the GPO giving them the Bypass Traverse Checking right. Then all your file and sub-folder permissions stay the same.
Hope this was more clear... seriously...just trying to help.
You'll should be able to hide the folders in the share so they can only view what they are allowed to:

Set Read permission on your root share and change permissions on sub folders to NOT inherit... you'll have to set them all up individually but it should do what you want.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Miguel Angel Perez MuñozCommented:
Other way may be change policy "Bypass traverse checking": http://technet.microsoft.com/en-us/library/cc739389(WS.10).aspx
ambissetAuthor Commented:

Sorry completely unacceptable - there is no way that I'm going to trawl through every folder to remove inheritance. For two reasons 1) It would take ages to setup, 2) It would mean that the minute a new folder is created by the primary user it would be readable by everyone who had read on the root. The primary user has a right to assume that any new files/folder's created from that share will be private but using this method they won't be.

That's no way to run a security setup.

Useful info however that setting was already set, so there must be something else I'm missing.

Just in case I missed something with this set-up what permissions should I put on
\\fileserver\share1 - root share where primary user creates her documents and folders.
\\fileserver\share1\folder1 - private sub folder only for use by primary user
\\fileserver\share1\folder2 - read only folder for group1, read write for primary user no access for group 2
\\fileserver\share1\fodler3 - read write for group 2, read write for primary user no access for group 1

The issue is that whilst I set the folder2 & folder3 permissions they cannot navigate to \\fileserver\share1 and get a permissions violation.

I've granted users traverse rights already so I'm not sure what this achieves?

For clarity:
user goes directly to \\fileserver\share1\folder1\subfolder1 and can view/edit files (if they have view/edit permissions) - ie: they CAN read/write the files.
user tries to browse using windows explorer to \\fileserver\share1 then gets a permission denied error as they have no read rights to files in that folder only to things in \\fileserver\share1\folder1\subfolder1

I'd have expected that the user on browsing to \\fileserver\share1 would see folder1 and nothing else they could then click on folder1 and see subfolder1 they could then click on subfolder1 and view/edit the files.

ie: IT IS THE NAVIGATION that is blocked - going directly to the folder is fine.

Now if I was only talking about a single folder I'd say hey here's a shortcut just use that but I'm talking about lots of folders with new ones created and old ones deleted every month by the primary user. I cannot keep creating new shortcuts. I just want the users to be able to NAVIGATE to the folders they are allowed to see without seeing folders/files they are barred from viewing.

Is this possible in windows and if so how?
You don't need to remove inheritance from EVERY folder... just those top level folders in the share.  They can and should propagate permissions downward ...
If the top level is read only and not propagating... no readable by everyone folders would be created at that level...

Miguel Angel Perez MuñozCommented:
Grant Bypass traverse checking to users, permit access to target folder without navigating on folders that haven´t got permissions.
ambissetAuthor Commented:
@jsdray there are 47 folders in the top level share. There are new folders created in the top level share every month, these new folders would require the primary user to remember to revoke permissions when she creates them as by default people would have read access using your scheme to any new folder. The default should be inaccessible not accessible.
Check this... (like Drashiel said) Traverse Folder takes effect only when the group or user is not granted the Bypass Traverse Checking user right. The Bypass Traverse Checking user right checks user rights in the Group Policy snap-in. By default, the Everyone group is given the Bypass Traverse Checking user right.
to go with my last and save some time...
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
ambissetAuthor Commented:
Ok so the fact that everyone group has bypass traverse checking by default means that its irrelevant for me to set traverse folder. Removing bypass traverse checking then would limit it to only those I explicitly grant travese folder to.

So since it was the default it shouldn't be an issue.

To be very very clear (I thought I had been)

User clicks on \\fileserver\share - gets access denied
User clicks on \\fileserver\share\subdir - gets access denied
User clicks on \\fileserver\share\subdir\folder - can view/edit folder

ie: they do have rights to the leaf folder but they cannot BROWSE aka NAVIGATE to the folder. They need to know the exact name of the folder and type it to go directly there clicking in windows explorer and trying to navigate from the root share gives access denied.

Issue is users demand the ability to click down through folder list to find stuff. I know folders are old hat and search is meant to be king these days but mine are stuck in the past and want to navigate.

I haven't come from a windows server background, so all the settings complexity is foreign to me. However surely it must be possible to let users navigate to a directory with point and clicks rahter than having to know its name first and type it?
ambissetAuthor Commented:
I gave up on this one. Windows permissions are just crap. It seems clear that the real solution is don't try to do what users have been doing for years and instead get them to adopt a different practice.

JSDray tried to help the most so for that reason alone I'm going to give him the solution points.
ambissetAuthor Commented:
Solution is Microsoft do permissions badly.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.