Solved

File Share Permissions Windows Server 2008

Posted on 2011-09-15
2
446 Views
Last Modified: 2012-05-12
Hello all,
 I have setup a file server running Windows Server 2008 and I have provisioned a share under which I have created many directories, one for each of my users. So, for example, the share is called Backup_Share, and in that i have directories such as joe.smith, ann.thompson, etc.

 I have enabled Access Based Enumeration and what I would like to do is control access to the user folders in such a way that when mapping to the share the users see and can access only their folder.

 Now, I know that share and NTFS permissions have to be configured independently, and that the most restrictive of the two takes precedence. I also realize I will have to stop the share's inheritance from its parent object. I was wondering if any of you could tell me the best process for doing this?  
0
Comment
Question by:BoxunloX
2 Comments
 
LVL 3

Accepted Solution

by:
Krypton-IT-Solutions earned 500 total points
Comment Utility
Hello, from what I have read if you are going to use ABE then if the user doesn't have 'READ' access on a folder then they simply don't see it.

I was told and have mostly followed the advice that the Share permission should give 'Everyone' access and then use NTFS permissions to restrict individual Users and Groups.

Below is a cutting from Microsoft...try it my way first and give 'Everyone' permission on the share but then restrict using NTFS permissions. If your tests fails then perhaps ABE looks to the Share permissions for 'READ' access on a User or Group and you will need to tweak.

Give it a go on a test folder :)

Regards
[advertising signature removed - modguy]

Access-based enumeration

Access-based enumeration allows users to see only the files and folders in an SMB-based shared folder to which they have permission to access. If a user does not have Read permissions for a folder, Windows hides the folder from the user’s view. This is useful for shared folders that contain many users’ home directories, for example.

To enable access-based enumeration on a shared folder 1.
In Share and Storage Management, right-click the appropriate shared folder and then click Properties.

2.
On the Sharing tab, click Advanced.

3.
Select the Enable access-based enumeration checkbox and then click OK.

Additional considerations

 Granting a user Full Control NTFS permission on a shared resource enables that user to take ownership of the folder or volume, unless the user is restricted in some other way. Be cautious in granting Full Control.

 If you want to manage folder and volume access by using NTFS permissions exclusively, set share permissions to Full Control for Everyone. This simplifies management of share permissions, but NTFS permissions are more complex than share permissions.

NTFS permissions affect both local and remote access. NTFS permissions apply regardless of protocol. Share permissions, by contrast, apply only to shared network resources. Share permissions do not restrict access of any local user or terminal server user. Thus, share permissions do not provide privacy between users on a computer that is used by several users.

 By default, the Everyone group does not include the Anonymous group, so permissions applied to the Everyone group do not affect the Anonymous group.

 You cannot modify the access permissions of folders or volumes that are shared for administrative purposes, such as C$ and ADMIN$.

 To open Share and Storage Management, click Start, point to Administrative Tools, and then click Share and Storage Management.
0
 
LVL 1

Author Closing Comment

by:BoxunloX
Comment Utility
Following Krypton's suggestions got me to where I needed to be. The best way I found was to share the parent directory with everyone, then in the Advanced Security Options I stopped all sub-directories from inheriting their permissions from the parent. The I allowed access via NTFS at the level I deemed necessary. Works like a charm and the users only see those directories that they have access to.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I was asked if I could set up a fax machine so that incoming faxes were delivered to people's Exchange inboxes and so that they could send faxes from their desktops without needing to print the document first.  I knew it was possible but I had no id…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now