Solved

Quicky and Easy question:  windows folder share permissions and ntfs

Posted on 2013-11-12
13
775 Views
Last Modified: 2013-11-13
Hopefully this is a quick and easy question regarding NTFS\Share permissions
Server 2008 R2

We have a network share named \\SomeDFSServer\Advertising$

I need 3 users to have access to only the two folders in this path..
And the cannot have read, list or write access to the root....\\SomeDFSServer\Advertising$
or any other folder or subfolders. Just the two listed below.

\\SomeDFSServer\Advertising$\New York\
\\SomeDFSServer\Advertising$\New Jersey\

- TUSERA
- TUSERB
- TUSERC

Note need to hide all root and other folders and subfolders.....
0
Comment
Question by:Indyrb
  • 6
  • 6
13 Comments
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39642521
Use deny permission.
Best would be to create a group, add users. Right click folder from the server> security and add the group and select deny permission for read/write/all
0
 

Author Comment

by:Indyrb
ID: 39642560
If I deny at the root, they wouldn't be able to get to the subfolder below named New York and New Jersey, would they since deny and shares are most restrictive?

They can have access to only the two.

\\SomeDFSServer\Advertising$\New York\
\\SomeDFSServer\Advertising$\New Jersey\

Not:
\\SomeDFSServer\Advertising$

Or any other
\\SomeDFSServer\Advertising$\Some folder\


Not even
\\SomeDFSServer\Advertising$\New York\Another Directory\


So I Created a Group in ADS named Adv_NY_NJ
Added the users: to the group
- TUSERA
- TUSERB
- TUSERC

Now where and what permissions do I apply?
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39642584
Ok, got it. You need to use traverse permission here for the folders you need to provide permission

Traverse Folder/Execute File

Traverse Folder: Allows or denies moving through a restricted folder to reach files and folders beneath the restricted folder in the folder hierarchy. Traverse folder takes effect only when the group or user is not granted the "Bypass traverse checking user" right in the Group Policy snap-in. This permission does not automatically allow running program files.

You can set this permission manually also
0
 

Author Comment

by:Indyrb
ID: 39642597
Can you instruct how to do this manually?

Also indicate the GPO setting?


I added the Group Adv_NY_NJ \\SomeDFSServer\Advertising$ but left permissions all blank

Added Adv_NY_NJ \\SomeDFSServer\Advertising$\Ney York and New Jersey and selected allow.

What next?
0
 

Author Comment

by:Indyrb
ID: 39642657
Not sure if I did this right..

But on the root "\\SomeDFSServer\Advertising$"
added the Group Adv_NY_NJ
Left all entries blank except deny on traverse folders.

Then on \\SomeDFSServer\Advertising$\Ney York and New Jersey
Added Adv_NY_NJ and selected mofiy writes, along with traverse allow

I am kinda confused, so please advise.
Thanks in advance for your help
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39642692
In the root for the Group remove all permission, except list  . Dont deny, just remove other

now users  in that group can list the folders

now open share and select the folders and give full permission of the folders u need for that group
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:Indyrb
ID: 39642695
I open the local policy on file server and found the Bypass traverse checking properties.

And you are right, Everyone is in here.

without effecting everyone else, how do I make sure only these three users don't bypass.

Is the permissions correct above.
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39642699
just leave that bypass settings for now
0
 

Author Comment

by:Indyrb
ID: 39642714
Okay... one side note though --- I don't want the users to list all the folders in the root either

When they go to "\\SomeDFSServer\Advertising$"

I only want New York and New Jersey to show up
0
 

Author Comment

by:Indyrb
ID: 39642716
Access Enumeration?
0
 
LVL 14

Accepted Solution

by:
Ram Balachandran earned 500 total points
ID: 39642732
- At the \\SomeDFSServer\Advertising$ level, remove all NTFS permissions (your preference) for the groups that can see all the way down into the sub-folder structure.

- for the users with limited access, at the \\SomeDFSServer\Advertising$\newyork give them:  Traverse folder, List Folder, Read attributes, Read extended attributes and Read Permissions.  Set it to This folder and Sub-folders.
0
 
LVL 14

Expert Comment

by:Ram Balachandran
ID: 39642739
Map drive to the their selected destination will not allow users to access other location and point to what they need
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39643526
You can also configure Access-based Enumeration(Access-based enumeration displays only the files and folders that a user has permissions to access).http://technet.microsoft.com/fr-fr/library/dd772681%28v=ws.10%29.aspx http://blogs.technet.com/b/hugofe/archive/2010/06/21/windows-2008-access-based-enumeration-abe.aspx?Redirected=true
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now