Solved

NTFS Share Permissions issue

Posted on 2011-09-14
13
266 Views
Last Modified: 2012-05-12
I am struggling to setup the correct permissions in Windows 2008R2 having moved our main fileserver files from old Novell Server.

I have a share \\fileserver\share1 in that share are folders eg:

\\fileserver\share1\folder1
\\fileserver\share1\folder2
...
\\fileserver\share1\folderN

The primary user of \\fileserver\share1 is our Health & Safety person and they have full access to read/write delete etc.

There is a Team of people who are responsible for writing reports and they need r/w access to several of the folders. There are others who need only read access to some of the folders (around 15 folders). The bulk of the folders (around 40 folders) are for the H&S person only and she adds/deletes new/old ones at a whim.

I setup the permissions on the NTFS share so that the group that needed RW access has it to the 12 folders they need RW access to. I setup the permissions so that the Read only group have read only access to the folders they need access to and the effective permissions confirm this. I've granted both groups traverse rights to the root folder \\fileserver\share1

My MAJOR issue is that the users cannot navigate to the root share. ie: They try to browse to \\fileserver\share1 and get access denied. Sure they can get to \\fileserver1\share1\folder12 etc but not to the root.

I don't want to grant list/read access to the root otherwise they can read everything in the entire share which is not what is required.

Do they really need to have 12-15 different shortcuts to the folders inside the share? Surely windows permissions has a means of saying you can traverse that folder so I'll open it and show you only what you are allowed to access?

Surely its not the case that the user has to have lots of shortcuts or need to remember the name and type the full path?


I have a similar problem with another folder \\fileserver\share2\documents\board meetings\reports

Now Share2 is the Chief Exec's share and he and his secretary have full rights to all the hundreds of folders in that heirarchy. He wants the senior management team to have write access to the reports folder which I've granted. They have traverse rights on the \\fileserver\share2

Now it works fine if the senior manager types the full path  \\fileserver\share2\documents\board meetings\reports in Start | Run box, then maps a drive letter there or drags and drops a file. However if they are in Word 2010 and click save as to save the report there they WANT to be able to goto \\fileserver\share2 and simply navigate down to documents\board meetings\reports However they are barred access to folders they cannot read it seems.


I think I have the permissions correct for reading/writing to the end (leaf) directory. What I cannot fathom is how to allow the users to navigate from the root to their desired folder.

Most users are on XP with a couple on Windows 7 in case that matters.
0
Comment
Question by:ambisset
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 8

Expert Comment

by:Sinder255248
ID: 36535740
You'll should be able to hide the folders in the share so they can only view what they are allowed to:

http://blogs.technet.com/b/aralves/archive/2007/09/20/windows-server-2008-access-based-enumeration.aspx
0
 
LVL 9

Expert Comment

by:jsdray
ID: 36535783
Set Read permission on your root share and change permissions on sub folders to NOT inherit... you'll have to set them all up individually but it should do what you want.
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 36535964
Other way may be change policy "Bypass traverse checking": http://technet.microsoft.com/en-us/library/cc739389(WS.10).aspx
0
 
LVL 1

Author Comment

by:ambisset
ID: 36537088
@jsdray

Sorry completely unacceptable - there is no way that I'm going to trawl through every folder to remove inheritance. For two reasons 1) It would take ages to setup, 2) It would mean that the minute a new folder is created by the primary user it would be readable by everyone who had read on the root. The primary user has a right to assume that any new files/folder's created from that share will be private but using this method they won't be.

That's no way to run a security setup.

@Sinder255248
Useful info however that setting was already set, so there must be something else I'm missing.

Just in case I missed something with this set-up what permissions should I put on
\\fileserver\share1 - root share where primary user creates her documents and folders.
\\fileserver\share1\folder1 - private sub folder only for use by primary user
\\fileserver\share1\folder2 - read only folder for group1, read write for primary user no access for group 2
\\fileserver\share1\fodler3 - read write for group 2, read write for primary user no access for group 1

The issue is that whilst I set the folder2 & folder3 permissions they cannot navigate to \\fileserver\share1 and get a permissions violation.

@drashiel
I've granted users traverse rights already so I'm not sure what this achieves?




For clarity:
user goes directly to \\fileserver\share1\folder1\subfolder1 and can view/edit files (if they have view/edit permissions) - ie: they CAN read/write the files.
user tries to browse using windows explorer to \\fileserver\share1 then gets a permission denied error as they have no read rights to files in that folder only to things in \\fileserver\share1\folder1\subfolder1

I'd have expected that the user on browsing to \\fileserver\share1 would see folder1 and nothing else they could then click on folder1 and see subfolder1 they could then click on subfolder1 and view/edit the files.

ie: IT IS THE NAVIGATION that is blocked - going directly to the folder is fine.

Now if I was only talking about a single folder I'd say hey here's a shortcut just use that but I'm talking about lots of folders with new ones created and old ones deleted every month by the primary user. I cannot keep creating new shortcuts. I just want the users to be able to NAVIGATE to the folders they are allowed to see without seeing folders/files they are barred from viewing.

Is this possible in windows and if so how?
0
 
LVL 9

Expert Comment

by:jsdray
ID: 36538592
You don't need to remove inheritance from EVERY folder... just those top level folders in the share.  They can and should propagate permissions downward ...
If the top level is read only and not propagating... no readable by everyone folders would be created at that level...


   
0
 
LVL 19

Expert Comment

by:Miguel Angel Perez Muñoz
ID: 36541700
Grant Bypass traverse checking to users, permit access to target folder without navigating on folders that haven´t got permissions.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 1

Author Comment

by:ambisset
ID: 36541820
@jsdray there are 47 folders in the top level share. There are new folders created in the top level share every month, these new folders would require the primary user to remember to revoke permissions when she creates them as by default people would have read access using your scheme to any new folder. The default should be inaccessible not accessible.
0
 
LVL 9

Expert Comment

by:jsdray
ID: 36542266
Check this... (like Drashiel said) Traverse Folder takes effect only when the group or user is not granted the Bypass Traverse Checking user right. The Bypass Traverse Checking user right checks user rights in the Group Policy snap-in. By default, the Everyone group is given the Bypass Traverse Checking user right.
0
 
LVL 9

Expert Comment

by:jsdray
ID: 36542287
to go with my last and save some time...
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
0
 
LVL 1

Author Comment

by:ambisset
ID: 36543778
Ok so the fact that everyone group has bypass traverse checking by default means that its irrelevant for me to set traverse folder. Removing bypass traverse checking then would limit it to only those I explicitly grant travese folder to.

So since it was the default it shouldn't be an issue.

To be very very clear (I thought I had been)

User clicks on \\fileserver\share - gets access denied
User clicks on \\fileserver\share\subdir - gets access denied
User clicks on \\fileserver\share\subdir\folder - can view/edit folder

ie: they do have rights to the leaf folder but they cannot BROWSE aka NAVIGATE to the folder. They need to know the exact name of the folder and type it to go directly there clicking in windows explorer and trying to navigate from the root share gives access denied.

Issue is users demand the ability to click down through folder list to find stuff. I know folders are old hat and search is meant to be king these days but mine are stuck in the past and want to navigate.

I haven't come from a windows server background, so all the settings complexity is foreign to me. However surely it must be possible to let users navigate to a directory with point and clicks rahter than having to know its name first and type it?
0
 
LVL 9

Accepted Solution

by:
jsdray earned 500 total points
ID: 36544494
Just trying to help you, dude...
Let me try and clarify... By EVERYONE having the Bypass Traverse Checking right by default... means that you'd be setting the share folder permission to EVERYONE... which I know is not what you want.  .  Create a group of users you want to be able to traverse and add that group to the GPO giving them the Bypass Traverse Checking right. Then all your file and sub-folder permissions stay the same.
Hope this was more clear... seriously...just trying to help.
0
 
LVL 1

Author Comment

by:ambisset
ID: 37082220
I gave up on this one. Windows permissions are just crap. It seems clear that the real solution is don't try to do what users have been doing for years and instead get them to adopt a different practice.

JSDray tried to help the most so for that reason alone I'm going to give him the solution points.
0
 
LVL 1

Author Closing Comment

by:ambisset
ID: 37082221
Solution is Microsoft do permissions badly.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now