NTFS Share Permissions issue
I am struggling to setup the correct permissions in Windows 2008R2 having moved our main fileserver files from old Novell Server.
I have a share \\fileserver\share1 in that share are folders eg:
\\fileserver\share1\folder
\\fileserver\share1\folder
...
\\fileserver\share1\folder
The primary user of \\fileserver\share1 is our Health & Safety person and they have full access to read/write delete etc.
There is a Team of people who are responsible for writing reports and they need r/w access to several of the folders. There are others who need only read access to some of the folders (around 15 folders). The bulk of the folders (around 40 folders) are for the H&S person only and she adds/deletes new/old ones at a whim.
I setup the permissions on the NTFS share so that the group that needed RW access has it to the 12 folders they need RW access to. I setup the permissions so that the Read only group have read only access to the folders they need access to and the effective permissions confirm this. I've granted both groups traverse rights to the root folder \\fileserver\share1
My MAJOR issue is that the users cannot navigate to the root share. ie: They try to browse to \\fileserver\share1 and get access denied. Sure they can get to \\fileserver1\share1\folde
I don't want to grant list/read access to the root otherwise they can read everything in the entire share which is not what is required.
Do they really need to have 12-15 different shortcuts to the folders inside the share? Surely windows permissions has a means of saying you can traverse that folder so I'll open it and show you only what you are allowed to access?
Surely its not the case that the user has to have lots of shortcuts or need to remember the name and type the full path?
I have a similar problem with another folder \\fileserver\share2\docume
Now Share2 is the Chief Exec's share and he and his secretary have full rights to all the hundreds of folders in that heirarchy. He wants the senior management team to have write access to the reports folder which I've granted. They have traverse rights on the \\fileserver\share2
Now it works fine if the senior manager types the full path \\fileserver\share2\docume
I think I have the permissions correct for reading/writing to the end (leaf) directory. What I cannot fathom is how to allow the users to navigate from the root to their desired folder.
Most users are on XP with a couple on Windows 7 in case that matters.
I have a share \\fileserver\share1 in that share are folders eg:
\\fileserver\share1\folder
\\fileserver\share1\folder
...
\\fileserver\share1\folder
The primary user of \\fileserver\share1 is our Health & Safety person and they have full access to read/write delete etc.
There is a Team of people who are responsible for writing reports and they need r/w access to several of the folders. There are others who need only read access to some of the folders (around 15 folders). The bulk of the folders (around 40 folders) are for the H&S person only and she adds/deletes new/old ones at a whim.
I setup the permissions on the NTFS share so that the group that needed RW access has it to the 12 folders they need RW access to. I setup the permissions so that the Read only group have read only access to the folders they need access to and the effective permissions confirm this. I've granted both groups traverse rights to the root folder \\fileserver\share1
My MAJOR issue is that the users cannot navigate to the root share. ie: They try to browse to \\fileserver\share1 and get access denied. Sure they can get to \\fileserver1\share1\folde
I don't want to grant list/read access to the root otherwise they can read everything in the entire share which is not what is required.
Do they really need to have 12-15 different shortcuts to the folders inside the share? Surely windows permissions has a means of saying you can traverse that folder so I'll open it and show you only what you are allowed to access?
Surely its not the case that the user has to have lots of shortcuts or need to remember the name and type the full path?
I have a similar problem with another folder \\fileserver\share2\docume
Now Share2 is the Chief Exec's share and he and his secretary have full rights to all the hundreds of folders in that heirarchy. He wants the senior management team to have write access to the reports folder which I've granted. They have traverse rights on the \\fileserver\share2
Now it works fine if the senior manager types the full path \\fileserver\share2\docume
I think I have the permissions correct for reading/writing to the end (leaf) directory. What I cannot fathom is how to allow the users to navigate from the root to their desired folder.
Most users are on XP with a couple on Windows 7 in case that matters.
Set Read permission on your root share and change permissions on sub folders to NOT inherit... you'll have to set them all up individually but it should do what you want.
Other way may be change policy "Bypass traverse checking": http://technet.microsoft.com/en-us/library/cc739389(WS.10).aspx
ASKER
@jsdray
Sorry completely unacceptable - there is no way that I'm going to trawl through every folder to remove inheritance. For two reasons 1) It would take ages to setup, 2) It would mean that the minute a new folder is created by the primary user it would be readable by everyone who had read on the root. The primary user has a right to assume that any new files/folder's created from that share will be private but using this method they won't be.
That's no way to run a security setup.
@Sinder255248
Useful info however that setting was already set, so there must be something else I'm missing.
Just in case I missed something with this set-up what permissions should I put on
\\fileserver\share1 - root share where primary user creates her documents and folders.
\\fileserver\share1\folder
\\fileserver\share1\folder
\\fileserver\share1\fodler
The issue is that whilst I set the folder2 & folder3 permissions they cannot navigate to \\fileserver\share1 and get a permissions violation.
@drashiel
I've granted users traverse rights already so I'm not sure what this achieves?
For clarity:
user goes directly to \\fileserver\share1\folder
user tries to browse using windows explorer to \\fileserver\share1 then gets a permission denied error as they have no read rights to files in that folder only to things in \\fileserver\share1\folder
I'd have expected that the user on browsing to \\fileserver\share1 would see folder1 and nothing else they could then click on folder1 and see subfolder1 they could then click on subfolder1 and view/edit the files.
ie: IT IS THE NAVIGATION that is blocked - going directly to the folder is fine.
Now if I was only talking about a single folder I'd say hey here's a shortcut just use that but I'm talking about lots of folders with new ones created and old ones deleted every month by the primary user. I cannot keep creating new shortcuts. I just want the users to be able to NAVIGATE to the folders they are allowed to see without seeing folders/files they are barred from viewing.
Is this possible in windows and if so how?
Sorry completely unacceptable - there is no way that I'm going to trawl through every folder to remove inheritance. For two reasons 1) It would take ages to setup, 2) It would mean that the minute a new folder is created by the primary user it would be readable by everyone who had read on the root. The primary user has a right to assume that any new files/folder's created from that share will be private but using this method they won't be.
That's no way to run a security setup.
@Sinder255248
Useful info however that setting was already set, so there must be something else I'm missing.
Just in case I missed something with this set-up what permissions should I put on
\\fileserver\share1 - root share where primary user creates her documents and folders.
\\fileserver\share1\folder
\\fileserver\share1\folder
\\fileserver\share1\fodler
The issue is that whilst I set the folder2 & folder3 permissions they cannot navigate to \\fileserver\share1 and get a permissions violation.
@drashiel
I've granted users traverse rights already so I'm not sure what this achieves?
For clarity:
user goes directly to \\fileserver\share1\folder
user tries to browse using windows explorer to \\fileserver\share1 then gets a permission denied error as they have no read rights to files in that folder only to things in \\fileserver\share1\folder
I'd have expected that the user on browsing to \\fileserver\share1 would see folder1 and nothing else they could then click on folder1 and see subfolder1 they could then click on subfolder1 and view/edit the files.
ie: IT IS THE NAVIGATION that is blocked - going directly to the folder is fine.
Now if I was only talking about a single folder I'd say hey here's a shortcut just use that but I'm talking about lots of folders with new ones created and old ones deleted every month by the primary user. I cannot keep creating new shortcuts. I just want the users to be able to NAVIGATE to the folders they are allowed to see without seeing folders/files they are barred from viewing.
Is this possible in windows and if so how?
You don't need to remove inheritance from EVERY folder... just those top level folders in the share. They can and should propagate permissions downward ...
If the top level is read only and not propagating... no readable by everyone folders would be created at that level...
If the top level is read only and not propagating... no readable by everyone folders would be created at that level...
Grant Bypass traverse checking to users, permit access to target folder without navigating on folders that haven´t got permissions.
ASKER
@jsdray there are 47 folders in the top level share. There are new folders created in the top level share every month, these new folders would require the primary user to remember to revoke permissions when she creates them as by default people would have read access using your scheme to any new folder. The default should be inaccessible not accessible.
Check this... (like Drashiel said) Traverse Folder takes effect only when the group or user is not granted the Bypass Traverse Checking user right. The Bypass Traverse Checking user right checks user rights in the Group Policy snap-in. By default, the Everyone group is given the Bypass Traverse Checking user right.
to go with my last and save some time...
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
ASKER
Ok so the fact that everyone group has bypass traverse checking by default means that its irrelevant for me to set traverse folder. Removing bypass traverse checking then would limit it to only those I explicitly grant travese folder to.
So since it was the default it shouldn't be an issue.
To be very very clear (I thought I had been)
User clicks on \\fileserver\share - gets access denied
User clicks on \\fileserver\share\subdir - gets access denied
User clicks on \\fileserver\share\subdir\
ie: they do have rights to the leaf folder but they cannot BROWSE aka NAVIGATE to the folder. They need to know the exact name of the folder and type it to go directly there clicking in windows explorer and trying to navigate from the root share gives access denied.
Issue is users demand the ability to click down through folder list to find stuff. I know folders are old hat and search is meant to be king these days but mine are stuck in the past and want to navigate.
I haven't come from a windows server background, so all the settings complexity is foreign to me. However surely it must be possible to let users navigate to a directory with point and clicks rahter than having to know its name first and type it?
So since it was the default it shouldn't be an issue.
To be very very clear (I thought I had been)
User clicks on \\fileserver\share - gets access denied
User clicks on \\fileserver\share\subdir - gets access denied
User clicks on \\fileserver\share\subdir\
ie: they do have rights to the leaf folder but they cannot BROWSE aka NAVIGATE to the folder. They need to know the exact name of the folder and type it to go directly there clicking in windows explorer and trying to navigate from the root share gives access denied.
Issue is users demand the ability to click down through folder list to find stuff. I know folders are old hat and search is meant to be king these days but mine are stuck in the past and want to navigate.
I haven't come from a windows server background, so all the settings complexity is foreign to me. However surely it must be possible to let users navigate to a directory with point and clicks rahter than having to know its name first and type it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I gave up on this one. Windows permissions are just crap. It seems clear that the real solution is don't try to do what users have been doing for years and instead get them to adopt a different practice.
JSDray tried to help the most so for that reason alone I'm going to give him the solution points.
JSDray tried to help the most so for that reason alone I'm going to give him the solution points.
ASKER
Solution is Microsoft do permissions badly.
http://blogs.technet.com/b/aralves/archive/2007/09/20/windows-server-2008-access-based-enumeration.aspx