Solved

Viewing Accessible Shares Over Network

Posted on 2014-09-18
6
145 Views
Last Modified: 2014-09-19
Is there a way to causes users to only see the Shares to which they have access when they browse to a file share server?  I realize the Access-based Enumeration  doesn't show files and folders to which they don't have access -- but I need users to not see Shares to which they have no access?  I'm migrating a file share server, and trying to find the easiest way for users to remap their shares.  They will often not recognize the names of shares they normally use.  The new file share server will be running Win 2012 R2.  I'm robocopying the files, exporting the registry for permissions -- I just need a user re-map strategy. Ideas appreciated - they could figure out right-click map if they only saw the appropriate shares.
Thanks.
0
Comment
Question by:apsutechteam
6 Comments
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
ID: 40331896
Hi:

I puzzled over this when I first saw it but concluded it was my lack of understanding and someone else would jump in with the answer.  Since it has turned up as unanswered I have to ask what exactly is your question?   This part of your question:  I realize the Access-based Enumeration  doesn't show files and folders to which they don't have access -- but I need users to not see Shares to which they have no access?  seems to be the correct answer, even if you haven't realized it.  If the users who connect to a server and browse the share list they will not see those that they have been excluded from with ABE.  Here is one example of how to implement in Server 2012 R2

http://heineborn.com/tech/enable-access-based-enumeration-in-windows-server-2012/

So either I don't understand the question or you have not implemented ABE as described.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40331924
I don't let users browse shares. All of my real shares are hidden such as \\server\sharename$. I have one visible user share, and that is my domain based DFS namespace root at \\domain.local\dfs . Everything is hung off of that DFS namespace root. Here are some examples:

\\domain.local\dfs\Branch1\Users  --> \\branch1\users$
\\domain.local\dfs\Branch1\Departments   --> \\branch1\Depts$
\\domain.local\dfs\Corporate\Users  --> \\server1\users$
\\domain.local\dfs\Corporate\Departments  --> \\server2\users$
\\domain.local\dfs\Software  --> \\branch1\software$ and \\servers\software$

If you browse \\Server1, \\server2, or \\branch1 you won't see any of the shares. You would only see the SYSVOL and NETLOGON shares on the domain controllers, and you would see DFS on your namespace server(s). You can even hide the DFS namespace, so you can map to \\domain.local\dfs$\Corporate\Users, or just \\domain.local\dfs$ and users can browse to all of the shares from there.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 40332029
"and users can browse to all of the shares from there" - and that is what he doesn't want. Not all shares but only accessible shares should show. But that is not possible with ABE.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
ID: 40332364
My bad... ABE indeed will not hide shares.  The only way I know to hide shares is as kevinhsieh says, add a $ to the end of the share name.  But then you have to map a drive letter for every user to every share they actually have access to.

This has been a subject of much head scratching for as long as Windows file servers have existed.  But it is not that big a deal really as users soon forget about the ones they can't access.  Consider netlogon and sysvol... they cannot be hidden but users don't spend any time trying to access them.

If you really have a share, say "Secret Corporate Data" that is available only to the Big Wigs, add the $ to the end of the share name such as "Secret_Data$" and map a drive letter for them.  A GPO applied to the Big Wig OU would be the way to do it.  And teach them to log off when not at their desks.  This assumes, of course, that such share names that would cause users to wonder are available only to a select few users.
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 500 total points
ID: 40332408
You can possibly hide DFS namespace links in my method using ABE. That would keep shares and directories hidden from Windows users. I don't think it does anything for Mac and Samba clients from 15 years ago would show the hidden$ shares.
0
 

Author Closing Comment

by:apsutechteam
ID: 40333841
It seems you can limit the view using DFS and Access Based Enumeration - through additionally setting the 'view' permissions in DFS.

Thanks.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Hallo! I guess almost every Windows Administrator must have got stumped with this question "Where does WINDOWS store a users cached credentials? Every user who had once logged onto a Server/Desktop while it was connected to the domain could sti…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now