Solved

File Server ACL's at root and sub directory level

Posted on 2013-06-06
10
464 Views
Last Modified: 2013-06-26
Can I ask a quesion about access permissions on file servers.Our admin ran us some MBSA scans over our 5 corporate file servers that lists out the share and directory access control lists. I appreciate this software reports the permissions at the root folder level i.e. \\server\share - but what is baffling me is the groups listed are only admin type groups, there's no entries for normal user groups who will be using these file server shares for team areas. So is it common to not add user groups at this level, and then add them at a sub directory level. i.e. \\server\share\directoryteam1 \\server\share\directoryteam2

What confuses me is don't you need some access to the root folder to be able to access any sub directory? i.e. if say domain user group "finance" isn't listed on the share or directory ACL at the root folder \\server\share but then they do have access to \\server\share\financesfolder will they be able to still access \\server\share\financesfolder if they don't have access to \\server\share

Is this kind of setup common?
0
Comment
Question by:pma111
10 Comments
 
LVL 17

Accepted Solution

by:
Brad Bouchard earned 167 total points
Comment Utility
You need to make sure that users who need to see folders down two or three levels have the "List Folder Contents" permission.  Also, it's not uncommon, and in some cases can be a great practice, to have user/security groups have access at the top level, then get more define/refined as you go down levels.  Hope that helps.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 167 total points
Comment Utility
> but what is baffling me is the groups listed are only admin type groups, there's no entries for normal user groups who will be using these file server shares...
...and that cannot be true. Of course they need to be in those ACLs as "authenticated users" or everyone or "domain users" - otherwise they would not be able to even open the share.
So please double check.

Normal settings would be read-only access at top level and, where needed, modify access to certain groups on the subfolders. In detail:
top share -  share perms: everyone: modify, admins: full | NTFS-perms: everyone: read (this folder only), Admins: full (this folder and subfolders)
subfolders: [[no share perms as they don't need to be shared]] | NTFS-perms: group based: modify or read, admins: full
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 166 total points
Comment Utility
NTFS permissions can be granular so that the root folder is not accessible but the subfolder can be the restriction is that these users cannot browse to the share but must go to the top folder that they have access to.

For instance, with folder redirection  \\servername\user$  the user doesn't have access to the root folder but they do have access to \\servername\user$\username and below
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Hi ve3ofa. So you say the user can have access to a folder that is not shared itself, while having no access to the parent folder that is shared? I doubt that and would like you to read out the permissions of NTFS and shares for me to verify, if you don't mind.

There is the setting "bypass traverse checking", yes, but that privilege is not held by default: "This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory"
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Surely the bypass traverse checking though only covers NTFS side of things, if your not on the share ACL then regardless of whether you have root level directory NTFS access, or sub directory NTFS access with bypass traverse directory checking ... if your not on the share ACL, then you still wont be able to access the directories on that share, correct?
0
How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Correct. Did you already double check your settings?
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Yes some of the shares are definately only admin related groups. Checked and checked again.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Then check whether these groups contain the users by chance. Maybe they contain other groups and the users are in those? Sometimes we neglect things. If all that ain't the case, then please try to reproduce this behavior from at least another computer with the same user. If reproducible, read out the NTFS perms using icacls and the share perms using net share and qoute both here for us to check.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Time for feedback :)
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
What caused it?
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now