?
Solved

Viewing Accessible Shares Over Network

Posted on 2014-09-18
6
Medium Priority
?
172 Views
Last Modified: 2014-09-19
Is there a way to causes users to only see the Shares to which they have access when they browse to a file share server?  I realize the Access-based Enumeration  doesn't show files and folders to which they don't have access -- but I need users to not see Shares to which they have no access?  I'm migrating a file share server, and trying to find the easiest way for users to remap their shares.  They will often not recognize the names of shares they normally use.  The new file share server will be running Win 2012 R2.  I'm robocopying the files, exporting the registry for permissions -- I just need a user re-map strategy. Ideas appreciated - they could figure out right-click map if they only saw the appropriate shares.
Thanks.
0
Comment
Question by:apsutechteam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 22

Expert Comment

by:Larry Struckmeyer MVP
ID: 40331896
Hi:

I puzzled over this when I first saw it but concluded it was my lack of understanding and someone else would jump in with the answer.  Since it has turned up as unanswered I have to ask what exactly is your question?   This part of your question:  I realize the Access-based Enumeration  doesn't show files and folders to which they don't have access -- but I need users to not see Shares to which they have no access?  seems to be the correct answer, even if you haven't realized it.  If the users who connect to a server and browse the share list they will not see those that they have been excluded from with ABE.  Here is one example of how to implement in Server 2012 R2

http://heineborn.com/tech/enable-access-based-enumeration-in-windows-server-2012/

So either I don't understand the question or you have not implemented ABE as described.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40331924
I don't let users browse shares. All of my real shares are hidden such as \\server\sharename$. I have one visible user share, and that is my domain based DFS namespace root at \\domain.local\dfs . Everything is hung off of that DFS namespace root. Here are some examples:

\\domain.local\dfs\Branch1\Users  --> \\branch1\users$
\\domain.local\dfs\Branch1\Departments   --> \\branch1\Depts$
\\domain.local\dfs\Corporate\Users  --> \\server1\users$
\\domain.local\dfs\Corporate\Departments  --> \\server2\users$
\\domain.local\dfs\Software  --> \\branch1\software$ and \\servers\software$

If you browse \\Server1, \\server2, or \\branch1 you won't see any of the shares. You would only see the SYSVOL and NETLOGON shares on the domain controllers, and you would see DFS on your namespace server(s). You can even hide the DFS namespace, so you can map to \\domain.local\dfs$\Corporate\Users, or just \\domain.local\dfs$ and users can browse to all of the shares from there.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40332029
"and users can browse to all of the shares from there" - and that is what he doesn't want. Not all shares but only accessible shares should show. But that is not possible with ABE.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 22

Expert Comment

by:Larry Struckmeyer MVP
ID: 40332364
My bad... ABE indeed will not hide shares.  The only way I know to hide shares is as kevinhsieh says, add a $ to the end of the share name.  But then you have to map a drive letter for every user to every share they actually have access to.

This has been a subject of much head scratching for as long as Windows file servers have existed.  But it is not that big a deal really as users soon forget about the ones they can't access.  Consider netlogon and sysvol... they cannot be hidden but users don't spend any time trying to access them.

If you really have a share, say "Secret Corporate Data" that is available only to the Big Wigs, add the $ to the end of the share name such as "Secret_Data$" and map a drive letter for them.  A GPO applied to the Big Wig OU would be the way to do it.  And teach them to log off when not at their desks.  This assumes, of course, that such share names that would cause users to wonder are available only to a select few users.
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 2000 total points
ID: 40332408
You can possibly hide DFS namespace links in my method using ABE. That would keep shares and directories hidden from Windows users. I don't think it does anything for Mac and Samba clients from 15 years ago would show the hidden$ shares.
0
 

Author Closing Comment

by:apsutechteam
ID: 40333841
It seems you can limit the view using DFS and Access Based Enumeration - through additionally setting the 'view' permissions in DFS.

Thanks.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hallo! I guess almost every Windows Administrator must have got stumped with this question "Where does WINDOWS store a users cached credentials? Every user who had once logged onto a Server/Desktop while it was connected to the domain could sti…
by Nathan Brom/Bromy2004 Introduction There are numerous websites out there for any different type of program you can imagine.  Of those, you'll need to decide which ones are legitimate and aren't trying to steal your money or infect your comput…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question