Solved

File Share Permissions Windows Server 2008

Posted on 2011-09-15
2
453 Views
Last Modified: 2012-05-12
Hello all,
 I have setup a file server running Windows Server 2008 and I have provisioned a share under which I have created many directories, one for each of my users. So, for example, the share is called Backup_Share, and in that i have directories such as joe.smith, ann.thompson, etc.

 I have enabled Access Based Enumeration and what I would like to do is control access to the user folders in such a way that when mapping to the share the users see and can access only their folder.

 Now, I know that share and NTFS permissions have to be configured independently, and that the most restrictive of the two takes precedence. I also realize I will have to stop the share's inheritance from its parent object. I was wondering if any of you could tell me the best process for doing this?  
0
Comment
Question by:BoxunloX
2 Comments
 
LVL 3

Accepted Solution

by:
Krypton-IT-Solutions earned 500 total points
ID: 36543434
Hello, from what I have read if you are going to use ABE then if the user doesn't have 'READ' access on a folder then they simply don't see it.

I was told and have mostly followed the advice that the Share permission should give 'Everyone' access and then use NTFS permissions to restrict individual Users and Groups.

Below is a cutting from Microsoft...try it my way first and give 'Everyone' permission on the share but then restrict using NTFS permissions. If your tests fails then perhaps ABE looks to the Share permissions for 'READ' access on a User or Group and you will need to tweak.

Give it a go on a test folder :)

Regards
[advertising signature removed - modguy]

Access-based enumeration

Access-based enumeration allows users to see only the files and folders in an SMB-based shared folder to which they have permission to access. If a user does not have Read permissions for a folder, Windows hides the folder from the user’s view. This is useful for shared folders that contain many users’ home directories, for example.

To enable access-based enumeration on a shared folder 1.
In Share and Storage Management, right-click the appropriate shared folder and then click Properties.

2.
On the Sharing tab, click Advanced.

3.
Select the Enable access-based enumeration checkbox and then click OK.

Additional considerations

 Granting a user Full Control NTFS permission on a shared resource enables that user to take ownership of the folder or volume, unless the user is restricted in some other way. Be cautious in granting Full Control.

 If you want to manage folder and volume access by using NTFS permissions exclusively, set share permissions to Full Control for Everyone. This simplifies management of share permissions, but NTFS permissions are more complex than share permissions.

NTFS permissions affect both local and remote access. NTFS permissions apply regardless of protocol. Share permissions, by contrast, apply only to shared network resources. Share permissions do not restrict access of any local user or terminal server user. Thus, share permissions do not provide privacy between users on a computer that is used by several users.

 By default, the Everyone group does not include the Anonymous group, so permissions applied to the Everyone group do not affect the Anonymous group.

 You cannot modify the access permissions of folders or volumes that are shared for administrative purposes, such as C$ and ADMIN$.

 To open Share and Storage Management, click Start, point to Administrative Tools, and then click Share and Storage Management.
0
 
LVL 1

Author Closing Comment

by:BoxunloX
ID: 36899970
Following Krypton's suggestions got me to where I needed to be. The best way I found was to share the parent directory with everyone, then in the Advanced Security Options I stopped all sub-directories from inheriting their permissions from the parent. The I allowed access via NTFS at the level I deemed necessary. Works like a charm and the users only see those directories that they have access to.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Normally after a failure of Domain Controller, when promoting new DC the DC is renamed, we will discuss the options in Dcpromo to re-create the DC with the same name. Scenario: You are a small IT shop with two Domain Controllers (Domain Contr…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now