Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

File Share Permissions Windows Server 2008

Posted on 2011-09-15
2
Medium Priority
?
471 Views
Last Modified: 2012-05-12
Hello all,
 I have setup a file server running Windows Server 2008 and I have provisioned a share under which I have created many directories, one for each of my users. So, for example, the share is called Backup_Share, and in that i have directories such as joe.smith, ann.thompson, etc.

 I have enabled Access Based Enumeration and what I would like to do is control access to the user folders in such a way that when mapping to the share the users see and can access only their folder.

 Now, I know that share and NTFS permissions have to be configured independently, and that the most restrictive of the two takes precedence. I also realize I will have to stop the share's inheritance from its parent object. I was wondering if any of you could tell me the best process for doing this?  
0
Comment
Question by:BoxunloX
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 3

Accepted Solution

by:
Krypton-IT-Solutions earned 2000 total points
ID: 36543434
Hello, from what I have read if you are going to use ABE then if the user doesn't have 'READ' access on a folder then they simply don't see it.

I was told and have mostly followed the advice that the Share permission should give 'Everyone' access and then use NTFS permissions to restrict individual Users and Groups.

Below is a cutting from Microsoft...try it my way first and give 'Everyone' permission on the share but then restrict using NTFS permissions. If your tests fails then perhaps ABE looks to the Share permissions for 'READ' access on a User or Group and you will need to tweak.

Give it a go on a test folder :)

Regards
[advertising signature removed - modguy]

Access-based enumeration

Access-based enumeration allows users to see only the files and folders in an SMB-based shared folder to which they have permission to access. If a user does not have Read permissions for a folder, Windows hides the folder from the user’s view. This is useful for shared folders that contain many users’ home directories, for example.

To enable access-based enumeration on a shared folder 1.
In Share and Storage Management, right-click the appropriate shared folder and then click Properties.

2.
On the Sharing tab, click Advanced.

3.
Select the Enable access-based enumeration checkbox and then click OK.

Additional considerations

 Granting a user Full Control NTFS permission on a shared resource enables that user to take ownership of the folder or volume, unless the user is restricted in some other way. Be cautious in granting Full Control.

 If you want to manage folder and volume access by using NTFS permissions exclusively, set share permissions to Full Control for Everyone. This simplifies management of share permissions, but NTFS permissions are more complex than share permissions.

NTFS permissions affect both local and remote access. NTFS permissions apply regardless of protocol. Share permissions, by contrast, apply only to shared network resources. Share permissions do not restrict access of any local user or terminal server user. Thus, share permissions do not provide privacy between users on a computer that is used by several users.

 By default, the Everyone group does not include the Anonymous group, so permissions applied to the Everyone group do not affect the Anonymous group.

 You cannot modify the access permissions of folders or volumes that are shared for administrative purposes, such as C$ and ADMIN$.

 To open Share and Storage Management, click Start, point to Administrative Tools, and then click Share and Storage Management.
0
 
LVL 1

Author Closing Comment

by:BoxunloX
ID: 36899970
Following Krypton's suggestions got me to where I needed to be. The best way I found was to share the parent directory with everyone, then in the Advanced Security Options I stopped all sub-directories from inheriting their permissions from the parent. The I allowed access via NTFS at the level I deemed necessary. Works like a charm and the users only see those directories that they have access to.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question