Link to home
Start Free TrialLog in
Avatar of tommyo94

asked on

Folder Security on shared workstations

We have a Windows 2003 domain with 4 workstations that are logged in as position users and are never logged out.  We have folders for the 20 employees that use those computers on a network drive.  Just recently it has been discovered people snooping in other users folders.  

How can we set individual access to the folders?  The computers have to remain logged in due to the eight programs that are running or I would have just used domain permissions.

Avatar of motnahp00
Flag of United States of America image

Restrict access using both Sharing and NTFS permissions. The most restrictive combination wins.
You really need to have the workstations logged out and re-logged in based on the user that is going to use the machine (and not share with others).  From your post, it sounds like you have 4 logins but 20 employees.  Instead, with the 4 workstations, you should have 20 logins (one for each user).  Then you can restrict each user folder to that user.
Avatar of tommyo94


I have 4 generic logins (Positions 1, 2, 3, & 4) and then 20 employees logins.  Due to the nature of the programs they cannot be logged out and logged back in without significant downtime.  Can I use the employess logins for the network share but how do I make sure they are logged out?
Better to add members to security groups and then implement your permissions.
But I only want them to have access to their folder not everyones.  Is there a setting to make sure they have to enter passwords each time they use the network share?
Please provide me your folder structure so I provide better assistance.
Network Drive (M:\)
                    Employee #1
                    Employee #2
                    Employee #3
                    Employee #4
                    Employee #5

Etc (20 employees)

They should only be able to get into their own folder.  They are accessing the network share from one of four workstations which is generically logged in.
On the folder, configure the share permission for the security group to Allow Change.

On each subfolder, configure the NTFS permission to Allow Modify for the individual user.

This will permit access to the share but will lock down each folder to the specified employee.
Ok and Windows will prompt each user for their login credentials each time and not retain previous employees login information?
Windows will attempt to use pass through authentication when the user tries to access the UNC path or if initiating the net use command. If it doesn't recognize the credential attempt, then the user will prompted to provide their username and password.
Avatar of arnold
Let's start from the beginning.
Based on your information the loged position account into the workstation are required to start an application. Is there no other way for this application to run I.e. as a service or to run on a dedicated server to which the individual users have no access?
The alternative is to use a document management system versus a file share based access given that you have common logins.
A document management system will enforce access permissions to the data.
An analogy is that you have a building with four entrances and they are always open. You are now trying to impose access rights to file shares. The problem is that file ownerships would tend to be based on the logged in user's credentials versus the individual user which the prior expert pointed out in their comments.
That is correct the login to the workstations are generic (Position 1-4) because of the 8 or more programs required to be running at all times.  The programs can run under any user the issue is the amount of time to shutdown and restart each application and the critical nature of the applications.  

I'm looking that anytime a person opens a folder on the network share it prompts them for a password (that is not stored or remember so the next person accessing the share on that computer has to also input a password)  

Can you give an example of a document management system?
Exclude position1-4 from the NTFS permissions  (security and share)
i.e. you would need to remove domain users group from the NTFS permissions
You would then need to add individual users for access, then each user to their own directory
and make sure the user do not store their credentials.

depending on how the shares are broken up will dictate how complex your task is.

Any way to have those applications running on other system which will free up those workstations for use by individual users or are those running programs what the users have to use?

You could enable auditing on the shares which will tell you which position accessed which folder, but you would then have to know which user was using the computer that logged in with those credentials.
Those applications are critical and what the users are interacting with.  Is there a way to guarantee a prompt for password and disable the saving of their credentials.
Avatar of arnold
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial