Solved

File Server ACL's at root and sub directory level

Posted on 2013-06-06
10
470 Views
Last Modified: 2013-06-26
Can I ask a quesion about access permissions on file servers.Our admin ran us some MBSA scans over our 5 corporate file servers that lists out the share and directory access control lists. I appreciate this software reports the permissions at the root folder level i.e. \\server\share - but what is baffling me is the groups listed are only admin type groups, there's no entries for normal user groups who will be using these file server shares for team areas. So is it common to not add user groups at this level, and then add them at a sub directory level. i.e. \\server\share\directoryteam1 \\server\share\directoryteam2

What confuses me is don't you need some access to the root folder to be able to access any sub directory? i.e. if say domain user group "finance" isn't listed on the share or directory ACL at the root folder \\server\share but then they do have access to \\server\share\financesfolder will they be able to still access \\server\share\financesfolder if they don't have access to \\server\share

Is this kind of setup common?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 17

Accepted Solution

by:
Brad Bouchard earned 167 total points
ID: 39226973
You need to make sure that users who need to see folders down two or three levels have the "List Folder Contents" permission.  Also, it's not uncommon, and in some cases can be a great practice, to have user/security groups have access at the top level, then get more define/refined as you go down levels.  Hope that helps.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 167 total points
ID: 39229716
> but what is baffling me is the groups listed are only admin type groups, there's no entries for normal user groups who will be using these file server shares...
...and that cannot be true. Of course they need to be in those ACLs as "authenticated users" or everyone or "domain users" - otherwise they would not be able to even open the share.
So please double check.

Normal settings would be read-only access at top level and, where needed, modify access to certain groups on the subfolders. In detail:
top share -  share perms: everyone: modify, admins: full | NTFS-perms: everyone: read (this folder only), Admins: full (this folder and subfolders)
subfolders: [[no share perms as they don't need to be shared]] | NTFS-perms: group based: modify or read, admins: full
0
 
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 166 total points
ID: 39229956
NTFS permissions can be granular so that the root folder is not accessible but the subfolder can be the restriction is that these users cannot browse to the share but must go to the top folder that they have access to.

For instance, with folder redirection  \\servername\user$  the user doesn't have access to the root folder but they do have access to \\servername\user$\username and below
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 54

Expert Comment

by:McKnife
ID: 39229992
Hi ve3ofa. So you say the user can have access to a folder that is not shared itself, while having no access to the parent folder that is shared? I doubt that and would like you to read out the permissions of NTFS and shares for me to verify, if you don't mind.

There is the setting "bypass traverse checking", yes, but that privilege is not held by default: "This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory"
0
 
LVL 3

Author Comment

by:pma111
ID: 39234198
Surely the bypass traverse checking though only covers NTFS side of things, if your not on the share ACL then regardless of whether you have root level directory NTFS access, or sub directory NTFS access with bypass traverse directory checking ... if your not on the share ACL, then you still wont be able to access the directories on that share, correct?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39234266
Correct. Did you already double check your settings?
0
 
LVL 3

Author Comment

by:pma111
ID: 39234272
Yes some of the shares are definately only admin related groups. Checked and checked again.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39234276
Then check whether these groups contain the users by chance. Maybe they contain other groups and the users are in those? Sometimes we neglect things. If all that ain't the case, then please try to reproduce this behavior from at least another computer with the same user. If reproducible, read out the NTFS perms using icacls and the share perms using net share and qoute both here for us to check.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39254702
Time for feedback :)
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39278908
What caused it?
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question