Avatar of tommyo94
tommyo94
 asked on

Folder Security on shared workstations

We have a Windows 2003 domain with 4 workstations that are logged in as position users and are never logged out.  We have folders for the 20 employees that use those computers on a network drive.  Just recently it has been discovered people snooping in other users folders.  

How can we set individual access to the folders?  The computers have to remain logged in due to the eight programs that are running or I would have just used domain permissions.

Thanks.
Network SecurityWindows Server 2003OS Security

Avatar of undefined
Last Comment
arnold

8/22/2022 - Mon
motnahp00

Restrict access using both Sharing and NTFS permissions. The most restrictive combination wins.
Aeriden

You really need to have the workstations logged out and re-logged in based on the user that is going to use the machine (and not share with others).  From your post, it sounds like you have 4 logins but 20 employees.  Instead, with the 4 workstations, you should have 20 logins (one for each user).  Then you can restrict each user folder to that user.
tommyo94

ASKER
I have 4 generic logins (Positions 1, 2, 3, & 4) and then 20 employees logins.  Due to the nature of the programs they cannot be logged out and logged back in without significant downtime.  Can I use the employess logins for the network share but how do I make sure they are logged out?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
motnahp00

Better to add members to security groups and then implement your permissions.
tommyo94

ASKER
But I only want them to have access to their folder not everyones.  Is there a setting to make sure they have to enter passwords each time they use the network share?
motnahp00

Please provide me your folder structure so I provide better assistance.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
tommyo94

ASKER
Network Drive (M:\)
                    Employee #1
                    Employee #2
                    Employee #3
                    Employee #4
                    Employee #5


Etc (20 employees)

They should only be able to get into their own folder.  They are accessing the network share from one of four workstations which is generically logged in.
motnahp00

On the folder, configure the share permission for the security group to Allow Change.

On each subfolder, configure the NTFS permission to Allow Modify for the individual user.

This will permit access to the share but will lock down each folder to the specified employee.
tommyo94

ASKER
Ok and Windows will prompt each user for their login credentials each time and not retain previous employees login information?
Your help has saved me hundreds of hours of internet surfing.
fblack61
motnahp00

Windows will attempt to use pass through authentication when the user tries to access the UNC path or if initiating the net use command. If it doesn't recognize the credential attempt, then the user will prompted to provide their username and password.
arnold

Let's start from the beginning.
Based on your information the loged position account into the workstation are required to start an application. Is there no other way for this application to run I.e. as a service or to run on a dedicated server to which the individual users have no access?
The alternative is to use a document management system versus a file share based access given that you have common logins.
A document management system will enforce access permissions to the data.
An analogy is that you have a building with four entrances and they are always open. You are now trying to impose access rights to file shares. The problem is that file ownerships would tend to be based on the logged in user's credentials versus the individual user which the prior expert pointed out in their comments.
tommyo94

ASKER
That is correct the login to the workstations are generic (Position 1-4) because of the 8 or more programs required to be running at all times.  The programs can run under any user the issue is the amount of time to shutdown and restart each application and the critical nature of the applications.  

I'm looking that anytime a person opens a folder on the network share it prompts them for a password (that is not stored or remember so the next person accessing the share on that computer has to also input a password)  

Can you give an example of a document management system?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
arnold

Exclude position1-4 from the NTFS permissions  (security and share)
i.e. you would need to remove domain users group from the NTFS permissions
You would then need to add individual users for access, then each user to their own directory
and make sure the user do not store their credentials.

depending on how the shares are broken up will dictate how complex your task is.

Any way to have those applications running on other system which will free up those workstations for use by individual users or are those running programs what the users have to use?

You could enable auditing on the shares which will tell you which position accessed which folder, but you would then have to know which user was using the computer that logged in with those credentials.
tommyo94

ASKER
Those applications are critical and what the users are interacting with.  Is there a way to guarantee a prompt for password and disable the saving of their credentials.
ASKER CERTIFIED SOLUTION
arnold

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question