Quicky and Easy question: windows folder share permissions and ntfs

Hopefully this is a quick and easy question regarding NTFS\Share permissions
Server 2008 R2

We have a network share named \\SomeDFSServer\Advertising$

I need 3 users to have access to only the two folders in this path..
And the cannot have read, list or write access to the root....\\SomeDFSServer\Advertising$
or any other folder or subfolders. Just the two listed below.

\\SomeDFSServer\Advertising$\New York\
\\SomeDFSServer\Advertising$\New Jersey\

- TUSERA
- TUSERB
- TUSERC

Note need to hide all root and other folders and subfolders.....
LVL 5
IndyrbAsked:
Who is Participating?
 
Ram BalachandranConnect With a Mentor Commented:
- At the \\SomeDFSServer\Advertising$ level, remove all NTFS permissions (your preference) for the groups that can see all the way down into the sub-folder structure.

- for the users with limited access, at the \\SomeDFSServer\Advertising$\newyork give them:  Traverse folder, List Folder, Read attributes, Read extended attributes and Read Permissions.  Set it to This folder and Sub-folders.
0
 
Ram BalachandranCommented:
Use deny permission.
Best would be to create a group, add users. Right click folder from the server> security and add the group and select deny permission for read/write/all
0
 
IndyrbAuthor Commented:
If I deny at the root, they wouldn't be able to get to the subfolder below named New York and New Jersey, would they since deny and shares are most restrictive?

They can have access to only the two.

\\SomeDFSServer\Advertising$\New York\
\\SomeDFSServer\Advertising$\New Jersey\

Not:
\\SomeDFSServer\Advertising$

Or any other
\\SomeDFSServer\Advertising$\Some folder\


Not even
\\SomeDFSServer\Advertising$\New York\Another Directory\


So I Created a Group in ADS named Adv_NY_NJ
Added the users: to the group
- TUSERA
- TUSERB
- TUSERC

Now where and what permissions do I apply?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Ram BalachandranCommented:
Ok, got it. You need to use traverse permission here for the folders you need to provide permission

Traverse Folder/Execute File

Traverse Folder: Allows or denies moving through a restricted folder to reach files and folders beneath the restricted folder in the folder hierarchy. Traverse folder takes effect only when the group or user is not granted the "Bypass traverse checking user" right in the Group Policy snap-in. This permission does not automatically allow running program files.

You can set this permission manually also
0
 
IndyrbAuthor Commented:
Can you instruct how to do this manually?

Also indicate the GPO setting?


I added the Group Adv_NY_NJ \\SomeDFSServer\Advertising$ but left permissions all blank

Added Adv_NY_NJ \\SomeDFSServer\Advertising$\Ney York and New Jersey and selected allow.

What next?
0
 
IndyrbAuthor Commented:
Not sure if I did this right..

But on the root "\\SomeDFSServer\Advertising$"
added the Group Adv_NY_NJ
Left all entries blank except deny on traverse folders.

Then on \\SomeDFSServer\Advertising$\Ney York and New Jersey
Added Adv_NY_NJ and selected mofiy writes, along with traverse allow

I am kinda confused, so please advise.
Thanks in advance for your help
0
 
Ram BalachandranCommented:
In the root for the Group remove all permission, except list  . Dont deny, just remove other

now users  in that group can list the folders

now open share and select the folders and give full permission of the folders u need for that group
0
 
IndyrbAuthor Commented:
I open the local policy on file server and found the Bypass traverse checking properties.

And you are right, Everyone is in here.

without effecting everyone else, how do I make sure only these three users don't bypass.

Is the permissions correct above.
0
 
Ram BalachandranCommented:
just leave that bypass settings for now
0
 
IndyrbAuthor Commented:
Okay... one side note though --- I don't want the users to list all the folders in the root either

When they go to "\\SomeDFSServer\Advertising$"

I only want New York and New Jersey to show up
0
 
IndyrbAuthor Commented:
Access Enumeration?
0
 
Ram BalachandranCommented:
Map drive to the their selected destination will not allow users to access other location and point to what they need
0
 
SandeshdubeySenior Server EngineerCommented:
You can also configure Access-based Enumeration(Access-based enumeration displays only the files and folders that a user has permissions to access).http://technet.microsoft.com/fr-fr/library/dd772681%28v=ws.10%29.aspx http://blogs.technet.com/b/hugofe/archive/2010/06/21/windows-2008-access-based-enumeration-abe.aspx?Redirected=true
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.