Solved

Quicky and Easy question:  windows folder share permissions and ntfs

Posted on 2013-11-12
13
782 Views
Last Modified: 2013-11-13
Hopefully this is a quick and easy question regarding NTFS\Share permissions
Server 2008 R2

We have a network share named \\SomeDFSServer\Advertising$

I need 3 users to have access to only the two folders in this path..
And the cannot have read, list or write access to the root....\\SomeDFSServer\Advertising$
or any other folder or subfolders. Just the two listed below.

\\SomeDFSServer\Advertising$\New York\
\\SomeDFSServer\Advertising$\New Jersey\

- TUSERA
- TUSERB
- TUSERC

Note need to hide all root and other folders and subfolders.....
0
Comment
Question by:Indyrb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
13 Comments
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39642521
Use deny permission.
Best would be to create a group, add users. Right click folder from the server> security and add the group and select deny permission for read/write/all
0
 

Author Comment

by:Indyrb
ID: 39642560
If I deny at the root, they wouldn't be able to get to the subfolder below named New York and New Jersey, would they since deny and shares are most restrictive?

They can have access to only the two.

\\SomeDFSServer\Advertising$\New York\
\\SomeDFSServer\Advertising$\New Jersey\

Not:
\\SomeDFSServer\Advertising$

Or any other
\\SomeDFSServer\Advertising$\Some folder\


Not even
\\SomeDFSServer\Advertising$\New York\Another Directory\


So I Created a Group in ADS named Adv_NY_NJ
Added the users: to the group
- TUSERA
- TUSERB
- TUSERC

Now where and what permissions do I apply?
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39642584
Ok, got it. You need to use traverse permission here for the folders you need to provide permission

Traverse Folder/Execute File

Traverse Folder: Allows or denies moving through a restricted folder to reach files and folders beneath the restricted folder in the folder hierarchy. Traverse folder takes effect only when the group or user is not granted the "Bypass traverse checking user" right in the Group Policy snap-in. This permission does not automatically allow running program files.

You can set this permission manually also
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:Indyrb
ID: 39642597
Can you instruct how to do this manually?

Also indicate the GPO setting?


I added the Group Adv_NY_NJ \\SomeDFSServer\Advertising$ but left permissions all blank

Added Adv_NY_NJ \\SomeDFSServer\Advertising$\Ney York and New Jersey and selected allow.

What next?
0
 

Author Comment

by:Indyrb
ID: 39642657
Not sure if I did this right..

But on the root "\\SomeDFSServer\Advertising$"
added the Group Adv_NY_NJ
Left all entries blank except deny on traverse folders.

Then on \\SomeDFSServer\Advertising$\Ney York and New Jersey
Added Adv_NY_NJ and selected mofiy writes, along with traverse allow

I am kinda confused, so please advise.
Thanks in advance for your help
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39642692
In the root for the Group remove all permission, except list  . Dont deny, just remove other

now users  in that group can list the folders

now open share and select the folders and give full permission of the folders u need for that group
0
 

Author Comment

by:Indyrb
ID: 39642695
I open the local policy on file server and found the Bypass traverse checking properties.

And you are right, Everyone is in here.

without effecting everyone else, how do I make sure only these three users don't bypass.

Is the permissions correct above.
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39642699
just leave that bypass settings for now
0
 

Author Comment

by:Indyrb
ID: 39642714
Okay... one side note though --- I don't want the users to list all the folders in the root either

When they go to "\\SomeDFSServer\Advertising$"

I only want New York and New Jersey to show up
0
 

Author Comment

by:Indyrb
ID: 39642716
Access Enumeration?
0
 
LVL 14

Accepted Solution

by:
Ram Balachandran earned 500 total points
ID: 39642732
- At the \\SomeDFSServer\Advertising$ level, remove all NTFS permissions (your preference) for the groups that can see all the way down into the sub-folder structure.

- for the users with limited access, at the \\SomeDFSServer\Advertising$\newyork give them:  Traverse folder, List Folder, Read attributes, Read extended attributes and Read Permissions.  Set it to This folder and Sub-folders.
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39642739
Map drive to the their selected destination will not allow users to access other location and point to what they need
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39643526
You can also configure Access-based Enumeration(Access-based enumeration displays only the files and folders that a user has permissions to access).http://technet.microsoft.com/fr-fr/library/dd772681%28v=ws.10%29.aspx http://blogs.technet.com/b/hugofe/archive/2010/06/21/windows-2008-access-based-enumeration-abe.aspx?Redirected=true
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question