?
Solved

Quicky and Easy question:  windows folder share permissions and ntfs

Posted on 2013-11-12
13
Medium Priority
?
787 Views
Last Modified: 2013-11-13
Hopefully this is a quick and easy question regarding NTFS\Share permissions
Server 2008 R2

We have a network share named \\SomeDFSServer\Advertising$

I need 3 users to have access to only the two folders in this path..
And the cannot have read, list or write access to the root....\\SomeDFSServer\Advertising$
or any other folder or subfolders. Just the two listed below.

\\SomeDFSServer\Advertising$\New York\
\\SomeDFSServer\Advertising$\New Jersey\

- TUSERA
- TUSERB
- TUSERC

Note need to hide all root and other folders and subfolders.....
0
Comment
Question by:Indyrb
  • 6
  • 6
13 Comments
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39642521
Use deny permission.
Best would be to create a group, add users. Right click folder from the server> security and add the group and select deny permission for read/write/all
0
 
LVL 5

Author Comment

by:Indyrb
ID: 39642560
If I deny at the root, they wouldn't be able to get to the subfolder below named New York and New Jersey, would they since deny and shares are most restrictive?

They can have access to only the two.

\\SomeDFSServer\Advertising$\New York\
\\SomeDFSServer\Advertising$\New Jersey\

Not:
\\SomeDFSServer\Advertising$

Or any other
\\SomeDFSServer\Advertising$\Some folder\


Not even
\\SomeDFSServer\Advertising$\New York\Another Directory\


So I Created a Group in ADS named Adv_NY_NJ
Added the users: to the group
- TUSERA
- TUSERB
- TUSERC

Now where and what permissions do I apply?
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39642584
Ok, got it. You need to use traverse permission here for the folders you need to provide permission

Traverse Folder/Execute File

Traverse Folder: Allows or denies moving through a restricted folder to reach files and folders beneath the restricted folder in the folder hierarchy. Traverse folder takes effect only when the group or user is not granted the "Bypass traverse checking user" right in the Group Policy snap-in. This permission does not automatically allow running program files.

You can set this permission manually also
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 5

Author Comment

by:Indyrb
ID: 39642597
Can you instruct how to do this manually?

Also indicate the GPO setting?


I added the Group Adv_NY_NJ \\SomeDFSServer\Advertising$ but left permissions all blank

Added Adv_NY_NJ \\SomeDFSServer\Advertising$\Ney York and New Jersey and selected allow.

What next?
0
 
LVL 5

Author Comment

by:Indyrb
ID: 39642657
Not sure if I did this right..

But on the root "\\SomeDFSServer\Advertising$"
added the Group Adv_NY_NJ
Left all entries blank except deny on traverse folders.

Then on \\SomeDFSServer\Advertising$\Ney York and New Jersey
Added Adv_NY_NJ and selected mofiy writes, along with traverse allow

I am kinda confused, so please advise.
Thanks in advance for your help
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39642692
In the root for the Group remove all permission, except list  . Dont deny, just remove other

now users  in that group can list the folders

now open share and select the folders and give full permission of the folders u need for that group
0
 
LVL 5

Author Comment

by:Indyrb
ID: 39642695
I open the local policy on file server and found the Bypass traverse checking properties.

And you are right, Everyone is in here.

without effecting everyone else, how do I make sure only these three users don't bypass.

Is the permissions correct above.
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39642699
just leave that bypass settings for now
0
 
LVL 5

Author Comment

by:Indyrb
ID: 39642714
Okay... one side note though --- I don't want the users to list all the folders in the root either

When they go to "\\SomeDFSServer\Advertising$"

I only want New York and New Jersey to show up
0
 
LVL 5

Author Comment

by:Indyrb
ID: 39642716
Access Enumeration?
0
 
LVL 14

Accepted Solution

by:
Ram Balachandran earned 2000 total points
ID: 39642732
- At the \\SomeDFSServer\Advertising$ level, remove all NTFS permissions (your preference) for the groups that can see all the way down into the sub-folder structure.

- for the users with limited access, at the \\SomeDFSServer\Advertising$\newyork give them:  Traverse folder, List Folder, Read attributes, Read extended attributes and Read Permissions.  Set it to This folder and Sub-folders.
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39642739
Map drive to the their selected destination will not allow users to access other location and point to what they need
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39643526
You can also configure Access-based Enumeration(Access-based enumeration displays only the files and folders that a user has permissions to access).http://technet.microsoft.com/fr-fr/library/dd772681%28v=ws.10%29.aspx http://blogs.technet.com/b/hugofe/archive/2010/06/21/windows-2008-access-based-enumeration-abe.aspx?Redirected=true
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question