Solved

File Server ACL's at root and sub directory level

Posted on 2013-06-06
10
469 Views
Last Modified: 2013-06-26
Can I ask a quesion about access permissions on file servers.Our admin ran us some MBSA scans over our 5 corporate file servers that lists out the share and directory access control lists. I appreciate this software reports the permissions at the root folder level i.e. \\server\share - but what is baffling me is the groups listed are only admin type groups, there's no entries for normal user groups who will be using these file server shares for team areas. So is it common to not add user groups at this level, and then add them at a sub directory level. i.e. \\server\share\directoryteam1 \\server\share\directoryteam2

What confuses me is don't you need some access to the root folder to be able to access any sub directory? i.e. if say domain user group "finance" isn't listed on the share or directory ACL at the root folder \\server\share but then they do have access to \\server\share\financesfolder will they be able to still access \\server\share\financesfolder if they don't have access to \\server\share

Is this kind of setup common?
0
Comment
Question by:pma111
10 Comments
 
LVL 17

Accepted Solution

by:
Brad Bouchard earned 167 total points
ID: 39226973
You need to make sure that users who need to see folders down two or three levels have the "List Folder Contents" permission.  Also, it's not uncommon, and in some cases can be a great practice, to have user/security groups have access at the top level, then get more define/refined as you go down levels.  Hope that helps.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 167 total points
ID: 39229716
> but what is baffling me is the groups listed are only admin type groups, there's no entries for normal user groups who will be using these file server shares...
...and that cannot be true. Of course they need to be in those ACLs as "authenticated users" or everyone or "domain users" - otherwise they would not be able to even open the share.
So please double check.

Normal settings would be read-only access at top level and, where needed, modify access to certain groups on the subfolders. In detail:
top share -  share perms: everyone: modify, admins: full | NTFS-perms: everyone: read (this folder only), Admins: full (this folder and subfolders)
subfolders: [[no share perms as they don't need to be shared]] | NTFS-perms: group based: modify or read, admins: full
0
 
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 166 total points
ID: 39229956
NTFS permissions can be granular so that the root folder is not accessible but the subfolder can be the restriction is that these users cannot browse to the share but must go to the top folder that they have access to.

For instance, with folder redirection  \\servername\user$  the user doesn't have access to the root folder but they do have access to \\servername\user$\username and below
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 54

Expert Comment

by:McKnife
ID: 39229992
Hi ve3ofa. So you say the user can have access to a folder that is not shared itself, while having no access to the parent folder that is shared? I doubt that and would like you to read out the permissions of NTFS and shares for me to verify, if you don't mind.

There is the setting "bypass traverse checking", yes, but that privilege is not held by default: "This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory"
0
 
LVL 3

Author Comment

by:pma111
ID: 39234198
Surely the bypass traverse checking though only covers NTFS side of things, if your not on the share ACL then regardless of whether you have root level directory NTFS access, or sub directory NTFS access with bypass traverse directory checking ... if your not on the share ACL, then you still wont be able to access the directories on that share, correct?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39234266
Correct. Did you already double check your settings?
0
 
LVL 3

Author Comment

by:pma111
ID: 39234272
Yes some of the shares are definately only admin related groups. Checked and checked again.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39234276
Then check whether these groups contain the users by chance. Maybe they contain other groups and the users are in those? Sometimes we neglect things. If all that ain't the case, then please try to reproduce this behavior from at least another computer with the same user. If reproducible, read out the NTFS perms using icacls and the share perms using net share and qoute both here for us to check.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39254702
Time for feedback :)
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39278908
What caused it?
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question