Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

File Server ACL's at root and sub directory level

Posted on 2013-06-06
10
Medium Priority
?
476 Views
Last Modified: 2013-06-26
Can I ask a quesion about access permissions on file servers.Our admin ran us some MBSA scans over our 5 corporate file servers that lists out the share and directory access control lists. I appreciate this software reports the permissions at the root folder level i.e. \\server\share - but what is baffling me is the groups listed are only admin type groups, there's no entries for normal user groups who will be using these file server shares for team areas. So is it common to not add user groups at this level, and then add them at a sub directory level. i.e. \\server\share\directoryteam1 \\server\share\directoryteam2

What confuses me is don't you need some access to the root folder to be able to access any sub directory? i.e. if say domain user group "finance" isn't listed on the share or directory ACL at the root folder \\server\share but then they do have access to \\server\share\financesfolder will they be able to still access \\server\share\financesfolder if they don't have access to \\server\share

Is this kind of setup common?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 17

Accepted Solution

by:
Brad Bouchard earned 668 total points
ID: 39226973
You need to make sure that users who need to see folders down two or three levels have the "List Folder Contents" permission.  Also, it's not uncommon, and in some cases can be a great practice, to have user/security groups have access at the top level, then get more define/refined as you go down levels.  Hope that helps.
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 668 total points
ID: 39229716
> but what is baffling me is the groups listed are only admin type groups, there's no entries for normal user groups who will be using these file server shares...
...and that cannot be true. Of course they need to be in those ACLs as "authenticated users" or everyone or "domain users" - otherwise they would not be able to even open the share.
So please double check.

Normal settings would be read-only access at top level and, where needed, modify access to certain groups on the subfolders. In detail:
top share -  share perms: everyone: modify, admins: full | NTFS-perms: everyone: read (this folder only), Admins: full (this folder and subfolders)
subfolders: [[no share perms as they don't need to be shared]] | NTFS-perms: group based: modify or read, admins: full
0
 
LVL 83

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 664 total points
ID: 39229956
NTFS permissions can be granular so that the root folder is not accessible but the subfolder can be the restriction is that these users cannot browse to the share but must go to the top folder that they have access to.

For instance, with folder redirection  \\servername\user$  the user doesn't have access to the root folder but they do have access to \\servername\user$\username and below
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 56

Expert Comment

by:McKnife
ID: 39229992
Hi ve3ofa. So you say the user can have access to a folder that is not shared itself, while having no access to the parent folder that is shared? I doubt that and would like you to read out the permissions of NTFS and shares for me to verify, if you don't mind.

There is the setting "bypass traverse checking", yes, but that privilege is not held by default: "This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory"
0
 
LVL 3

Author Comment

by:pma111
ID: 39234198
Surely the bypass traverse checking though only covers NTFS side of things, if your not on the share ACL then regardless of whether you have root level directory NTFS access, or sub directory NTFS access with bypass traverse directory checking ... if your not on the share ACL, then you still wont be able to access the directories on that share, correct?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39234266
Correct. Did you already double check your settings?
0
 
LVL 3

Author Comment

by:pma111
ID: 39234272
Yes some of the shares are definately only admin related groups. Checked and checked again.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39234276
Then check whether these groups contain the users by chance. Maybe they contain other groups and the users are in those? Sometimes we neglect things. If all that ain't the case, then please try to reproduce this behavior from at least another computer with the same user. If reproducible, read out the NTFS perms using icacls and the share perms using net share and qoute both here for us to check.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39254702
Time for feedback :)
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39278908
What caused it?
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question