Access Based Enumeration

Hi All,

Firstly let me apologise for the novel that is about to be written.

My environment is Windows Server 2012 (DFL is 2008) and a lot larger than shown in the images below but it demonstrates the depth I wish to use.

I am somewhat confused over how to apply permissions with ABE. This is NOT in a DFS name space. I have a share called "Data" with ABE enabled.  I have set up the folders as shown in the diagram below.

Physical Structure
The logical flow should look like this:

Logical Structure

I would like users to only see the folders that they have permissions for e.g. the North team should only see the North Folder but the Marketing Manager should be able to see all folders below their level. I can easily get the GM to see whichever folders they need to see (the GM, all Sales and all Geo folders and sub folders). The problem I am having is getting anyone further down the tree to see only the folders they have permissions to.

Is this possible or have I misunderstood how ABE works? Do I have to go to a flat file structure below Data (which I know will work but does not allow for inheriting?

TIA

Harry
EQCITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob StoneCommented:
That was my understanding as well.

Share at the top level and users only see subfolders they have read access to or greater.  What are the effective permissions on the folders for users who shouldn't have access?

It may be worth creating a test account and mimic the users access so you can test on a test server/test client too.  What are the clients being used?
0
Rob StoneCommented:
I've just setup ABE on a share called Data.

I've connected as various users who are in various department global groups. Those groups are then assigned to folders in the file share.

I'm seeing exactly what I'd expect to see, so I am presuming some users must still have read access on folders you don't want them to see.  Excuse my artwork, but you get the idea from the attached image.
ABE.JPG
0
EQCITAuthor Commented:
Hi Stoner79,
So the users in GG-Sales-Staff can only see the Staff folder? If so that is exactly what I am after. Can you let me know what permissions you apply at the upper levels?
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Rob StoneCommented:
Sure, I'll run an icacls dump of the permissions later tonight and the group permissions so you can see how I done it.
0
EQCITAuthor Commented:
Thanks - typical geek, I'm getting excited about an icacls dump:-)
0
Rob StoneCommented:
Ah, a fellow geek. Here is the PS I used to get the group membership:
$Groups=Get-ADGroup -Filter * -SearchBase "OU=Groups,DC=Domain,DC=LAB"
Foreach ($Group in $Groups){
$var=$Group.Name
    Get-ADGroupMember -Identity "$var" |Out-File "C:\Data\$var.log"
}

I've attached those and the ICACLS too. Note, I would setup the production permissions slightly different and have a group for all department groups at the top level, then break inheritance and configure as needed as you go lower down.
Group-Membership.zip
ICACLS.Log
0
EQCITAuthor Commented:
Thanks Stoner79, it is Saturday here today and I'm heading to the mountains. I will pick this up when I get back to work Monday.
0
EQCITAuthor Commented:
Hi Stoner79, I think I'm probably over thinking/making this harder than it needs to be but I'm still confused. I understand the icacls.log you sent through (thanks for that!). My current question is what NTFS permissions do you apply at the folder Data?  I have set Share permissions as Authenticated Users Full Control. If I add all my users as Full Access or Read Only at this level then they can see ALL folders (with the obvious access as supplied by the permissions on the sub folders).  In the case of my setup I have created a Domain Local group called ACL_Coy_ALL. Using nested Global Security groups all users are a member of this ACL group e.g. User1 is a member of SG_North with Modify in the folder North. SG_North is a member of SG_Marketing. SG_Marketing is a member of SG_Sales and SGSales is a member of SG_Coy_ALL. SG_Coy_ALL is the only member of ACL_Coy_ALL. SG_Marketing obviously has other members such as SG_South, SG_East, etc. Members of SG_Sales incl SG_Manager, SG_Repairs, etc. And again SG_Coy_ALL incl SG_HR, SG_BU, etc. Each Folder also has two ACL (Domain Local) groups. For Example the folder North has ACL_North_R (Read Only) and ACL_North_RW (Read Write). The members of these groups are SG_North.  It seems no matter what I do the user can either see nothing OR can see all folders incl those they don't have access to.  This is my first time with ABE and to be frank I am really struggling.
0
Rob StoneCommented:
You would have all your users having Full Control/Read (whatever permission they need at that level), then each folder below that would break inheritance unless you want everyone to have it.

So authenticated users is fine, but when you want to hide folders, you want to remove all groups except those groups that should be seeing the folder and have access. In my example, I just had GG-Sales-Users for example and removed authenticated/domain users.

In the advanced properties for NTFS there is an Effective Permission tab, use this to check individual users permissions against the folder. Create a new folder and test group under Data, remove all permissions and add one users in a test group and pop that in the NTFS permissions. Then see who has access.

In my lab the changes to the folder were instant (win 7/2012), I didn't have to log off (just pressed F5 to refresh explorer).

You might want to also look at getting a dump of users in the groups associated to the folders, including nested groups. Hyena can be installed for a trial which can pull this information from a GUI, or you can look at powershell but I don't know the command off the top of my head (probably Get-ADGroupMember).

As I said, start of with a basic group with 1 user to simplify it and make sure it's working as it should before nesting groups.
0
EQCITAuthor Commented:
Hi Stoner79,
I am still struggling with this. I have given SG_North ReadOnly at the Data folder and then broken inheritance and the folder doesn't show. Unless I have each level with at least Read Only access the user cannot see the North folder. However, I really would like to not have to have the user having to navigate multiple folders to access their folders. All I want them to see is the North folder. In my live environment we have >1000 users with some having access to multiple folders in multiple departments BUT we only go four layers deep (as per the diagram labelled Physical Data Structure.
I have attached some pictures to show you what I have done.

I really appreciate your assistance and am sure I am missing something simple but I think I am at the point of not seeing the forest for the trees.

Cheers

Harry
AllData-Advanced-Security.png
AllData-Share-permissions.png
Marketing-Advanced-Security.png
North-Folder-Advanced-Security.png
NorthUser-Effective-Permissions-.png
Sales-Advanced-Security.png
Win7-Client-ACL-North-removed-fr.png
Win7-Client-ACL-North-removed-fr.png
Win7-Client-ReadOnly-at-each-lev.png
0
Rob StoneCommented:
Hi Harry, I'll have a look later for you.
0
Rob StoneCommented:
Hi,

Now I've checked your screenshots I think I am understanding what you are trying to achieve.

It won't work with what you are trying to accomplish.  Not by browsing like that anyway.  You may be able to connect directly to the folder by putting in T:\Marketing\North in the path, but you won't see a subfolder at the top level like T:\North when mapping to the Data share. The only way to get that to work would be setting up a share at the lower level and have them map to that share instead of Data.

So I think ABE is working as it is designed on your setup.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.