Solved

File Server ACL's at root and sub directory level

Posted on 2013-06-06
10
468 Views
Last Modified: 2013-06-26
Can I ask a quesion about access permissions on file servers.Our admin ran us some MBSA scans over our 5 corporate file servers that lists out the share and directory access control lists. I appreciate this software reports the permissions at the root folder level i.e. \\server\share - but what is baffling me is the groups listed are only admin type groups, there's no entries for normal user groups who will be using these file server shares for team areas. So is it common to not add user groups at this level, and then add them at a sub directory level. i.e. \\server\share\directoryteam1 \\server\share\directoryteam2

What confuses me is don't you need some access to the root folder to be able to access any sub directory? i.e. if say domain user group "finance" isn't listed on the share or directory ACL at the root folder \\server\share but then they do have access to \\server\share\financesfolder will they be able to still access \\server\share\financesfolder if they don't have access to \\server\share

Is this kind of setup common?
0
Comment
Question by:pma111
10 Comments
 
LVL 17

Accepted Solution

by:
Brad Bouchard earned 167 total points
ID: 39226973
You need to make sure that users who need to see folders down two or three levels have the "List Folder Contents" permission.  Also, it's not uncommon, and in some cases can be a great practice, to have user/security groups have access at the top level, then get more define/refined as you go down levels.  Hope that helps.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 167 total points
ID: 39229716
> but what is baffling me is the groups listed are only admin type groups, there's no entries for normal user groups who will be using these file server shares...
...and that cannot be true. Of course they need to be in those ACLs as "authenticated users" or everyone or "domain users" - otherwise they would not be able to even open the share.
So please double check.

Normal settings would be read-only access at top level and, where needed, modify access to certain groups on the subfolders. In detail:
top share -  share perms: everyone: modify, admins: full | NTFS-perms: everyone: read (this folder only), Admins: full (this folder and subfolders)
subfolders: [[no share perms as they don't need to be shared]] | NTFS-perms: group based: modify or read, admins: full
0
 
LVL 79

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 166 total points
ID: 39229956
NTFS permissions can be granular so that the root folder is not accessible but the subfolder can be the restriction is that these users cannot browse to the share but must go to the top folder that they have access to.

For instance, with folder redirection  \\servername\user$  the user doesn't have access to the root folder but they do have access to \\servername\user$\username and below
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 54

Expert Comment

by:McKnife
ID: 39229992
Hi ve3ofa. So you say the user can have access to a folder that is not shared itself, while having no access to the parent folder that is shared? I doubt that and would like you to read out the permissions of NTFS and shares for me to verify, if you don't mind.

There is the setting "bypass traverse checking", yes, but that privilege is not held by default: "This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory"
0
 
LVL 3

Author Comment

by:pma111
ID: 39234198
Surely the bypass traverse checking though only covers NTFS side of things, if your not on the share ACL then regardless of whether you have root level directory NTFS access, or sub directory NTFS access with bypass traverse directory checking ... if your not on the share ACL, then you still wont be able to access the directories on that share, correct?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39234266
Correct. Did you already double check your settings?
0
 
LVL 3

Author Comment

by:pma111
ID: 39234272
Yes some of the shares are definately only admin related groups. Checked and checked again.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39234276
Then check whether these groups contain the users by chance. Maybe they contain other groups and the users are in those? Sometimes we neglect things. If all that ain't the case, then please try to reproduce this behavior from at least another computer with the same user. If reproducible, read out the NTFS perms using icacls and the share perms using net share and qoute both here for us to check.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39254702
Time for feedback :)
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39278908
What caused it?
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question