Folder Security on shared workstations

tommyo94
tommyo94 used Ask the Experts™
on
We have a Windows 2003 domain with 4 workstations that are logged in as position users and are never logged out.  We have folders for the 20 employees that use those computers on a network drive.  Just recently it has been discovered people snooping in other users folders.  

How can we set individual access to the folders?  The computers have to remain logged in due to the eight programs that are running or I would have just used domain permissions.

Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Restrict access using both Sharing and NTFS permissions. The most restrictive combination wins.

Commented:
You really need to have the workstations logged out and re-logged in based on the user that is going to use the machine (and not share with others).  From your post, it sounds like you have 4 logins but 20 employees.  Instead, with the 4 workstations, you should have 20 logins (one for each user).  Then you can restrict each user folder to that user.

Author

Commented:
I have 4 generic logins (Positions 1, 2, 3, & 4) and then 20 employees logins.  Due to the nature of the programs they cannot be logged out and logged back in without significant downtime.  Can I use the employess logins for the network share but how do I make sure they are logged out?
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Better to add members to security groups and then implement your permissions.

Author

Commented:
But I only want them to have access to their folder not everyones.  Is there a setting to make sure they have to enter passwords each time they use the network share?
Please provide me your folder structure so I provide better assistance.

Author

Commented:
Network Drive (M:\)
                    Employee #1
                    Employee #2
                    Employee #3
                    Employee #4
                    Employee #5


Etc (20 employees)

They should only be able to get into their own folder.  They are accessing the network share from one of four workstations which is generically logged in.
On the folder, configure the share permission for the security group to Allow Change.

On each subfolder, configure the NTFS permission to Allow Modify for the individual user.

This will permit access to the share but will lock down each folder to the specified employee.

Author

Commented:
Ok and Windows will prompt each user for their login credentials each time and not retain previous employees login information?
Windows will attempt to use pass through authentication when the user tries to access the UNC path or if initiating the net use command. If it doesn't recognize the credential attempt, then the user will prompted to provide their username and password.
Distinguished Expert 2017

Commented:
Let's start from the beginning.
Based on your information the loged position account into the workstation are required to start an application. Is there no other way for this application to run I.e. as a service or to run on a dedicated server to which the individual users have no access?
The alternative is to use a document management system versus a file share based access given that you have common logins.
A document management system will enforce access permissions to the data.
An analogy is that you have a building with four entrances and they are always open. You are now trying to impose access rights to file shares. The problem is that file ownerships would tend to be based on the logged in user's credentials versus the individual user which the prior expert pointed out in their comments.

Author

Commented:
That is correct the login to the workstations are generic (Position 1-4) because of the 8 or more programs required to be running at all times.  The programs can run under any user the issue is the amount of time to shutdown and restart each application and the critical nature of the applications.  

I'm looking that anytime a person opens a folder on the network share it prompts them for a password (that is not stored or remember so the next person accessing the share on that computer has to also input a password)  

Can you give an example of a document management system?
Distinguished Expert 2017

Commented:
Exclude position1-4 from the NTFS permissions  (security and share)
i.e. you would need to remove domain users group from the NTFS permissions
You would then need to add individual users for access, then each user to their own directory
and make sure the user do not store their credentials.

depending on how the shares are broken up will dictate how complex your task is.

Any way to have those applications running on other system which will free up those workstations for use by individual users or are those running programs what the users have to use?

You could enable auditing on the shares which will tell you which position accessed which folder, but you would then have to know which user was using the computer that logged in with those credentials.

Author

Commented:
Those applications are critical and what the users are interacting with.  Is there a way to guarantee a prompt for password and disable the saving of their credentials.
Distinguished Expert 2017
Commented:
Not that I can think of.
Changing from file based shares to a document management system with access via a web browser is one to guarantee access restriction, the problem is that each user has to make sure to delete/clear files stored in temp.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial