Solved

Quicky and Easy question:  windows folder share permissions and ntfs

Posted on 2013-11-12
13
780 Views
Last Modified: 2013-11-13
Hopefully this is a quick and easy question regarding NTFS\Share permissions
Server 2008 R2

We have a network share named \\SomeDFSServer\Advertising$

I need 3 users to have access to only the two folders in this path..
And the cannot have read, list or write access to the root....\\SomeDFSServer\Advertising$
or any other folder or subfolders. Just the two listed below.

\\SomeDFSServer\Advertising$\New York\
\\SomeDFSServer\Advertising$\New Jersey\

- TUSERA
- TUSERB
- TUSERC

Note need to hide all root and other folders and subfolders.....
0
Comment
Question by:Indyrb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
13 Comments
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39642521
Use deny permission.
Best would be to create a group, add users. Right click folder from the server> security and add the group and select deny permission for read/write/all
0
 

Author Comment

by:Indyrb
ID: 39642560
If I deny at the root, they wouldn't be able to get to the subfolder below named New York and New Jersey, would they since deny and shares are most restrictive?

They can have access to only the two.

\\SomeDFSServer\Advertising$\New York\
\\SomeDFSServer\Advertising$\New Jersey\

Not:
\\SomeDFSServer\Advertising$

Or any other
\\SomeDFSServer\Advertising$\Some folder\


Not even
\\SomeDFSServer\Advertising$\New York\Another Directory\


So I Created a Group in ADS named Adv_NY_NJ
Added the users: to the group
- TUSERA
- TUSERB
- TUSERC

Now where and what permissions do I apply?
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39642584
Ok, got it. You need to use traverse permission here for the folders you need to provide permission

Traverse Folder/Execute File

Traverse Folder: Allows or denies moving through a restricted folder to reach files and folders beneath the restricted folder in the folder hierarchy. Traverse folder takes effect only when the group or user is not granted the "Bypass traverse checking user" right in the Group Policy snap-in. This permission does not automatically allow running program files.

You can set this permission manually also
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:Indyrb
ID: 39642597
Can you instruct how to do this manually?

Also indicate the GPO setting?


I added the Group Adv_NY_NJ \\SomeDFSServer\Advertising$ but left permissions all blank

Added Adv_NY_NJ \\SomeDFSServer\Advertising$\Ney York and New Jersey and selected allow.

What next?
0
 

Author Comment

by:Indyrb
ID: 39642657
Not sure if I did this right..

But on the root "\\SomeDFSServer\Advertising$"
added the Group Adv_NY_NJ
Left all entries blank except deny on traverse folders.

Then on \\SomeDFSServer\Advertising$\Ney York and New Jersey
Added Adv_NY_NJ and selected mofiy writes, along with traverse allow

I am kinda confused, so please advise.
Thanks in advance for your help
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39642692
In the root for the Group remove all permission, except list  . Dont deny, just remove other

now users  in that group can list the folders

now open share and select the folders and give full permission of the folders u need for that group
0
 

Author Comment

by:Indyrb
ID: 39642695
I open the local policy on file server and found the Bypass traverse checking properties.

And you are right, Everyone is in here.

without effecting everyone else, how do I make sure only these three users don't bypass.

Is the permissions correct above.
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39642699
just leave that bypass settings for now
0
 

Author Comment

by:Indyrb
ID: 39642714
Okay... one side note though --- I don't want the users to list all the folders in the root either

When they go to "\\SomeDFSServer\Advertising$"

I only want New York and New Jersey to show up
0
 

Author Comment

by:Indyrb
ID: 39642716
Access Enumeration?
0
 
LVL 14

Accepted Solution

by:
Ram Balachandran earned 500 total points
ID: 39642732
- At the \\SomeDFSServer\Advertising$ level, remove all NTFS permissions (your preference) for the groups that can see all the way down into the sub-folder structure.

- for the users with limited access, at the \\SomeDFSServer\Advertising$\newyork give them:  Traverse folder, List Folder, Read attributes, Read extended attributes and Read Permissions.  Set it to This folder and Sub-folders.
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39642739
Map drive to the their selected destination will not allow users to access other location and point to what they need
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39643526
You can also configure Access-based Enumeration(Access-based enumeration displays only the files and folders that a user has permissions to access).http://technet.microsoft.com/fr-fr/library/dd772681%28v=ws.10%29.aspx http://blogs.technet.com/b/hugofe/archive/2010/06/21/windows-2008-access-based-enumeration-abe.aspx?Redirected=true
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question