Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies. Only from Platform Scholar.
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Folder permissions - Traversing folders to only access subfolders, multiple users
Posted on 2015-02-19
I need to setup folder permissions to an existing directory structure in a domain.
I have 4 groups of users that need access to certain subfolders on a shared drive, but should not have access to any files in any folders above those subfolders
ie: \\Server\Shares\ENG\ENG-Dr
all users have a drive mapping s: to \\Server \Shares
How can I set up permissions to allow group1 access to s:\ENG\ENG-Draw\ENG-Part dir only?
I've read about the Traverse directory permission, but have never implemented it.
Any direction here is appreciated.
I have 4 groups of users that need access to certain subfolders on a shared drive, but should not have access to any files in any folders above those subfolders
ie: \\Server\Shares\ENG\ENG-Dr
all users have a drive mapping s: to \\Server \Shares
How can I set up permissions to allow group1 access to s:\ENG\ENG-Draw\ENG-Part dir only?
I've read about the Traverse directory permission, but have never implemented it.
Any direction here is appreciated.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2
2-
2
6 Comments
Active today
You need to remove the Inheritable permissions on the folder
Do the following...
- nav to that folder (s:\ENG\ENG-Draw\ENG-Part)
- Right click, Properties
- Click Security Tab
- Click Advance button
- Click Change permissions button
- remove the check mark for "include inheritable permissions from this objects parent"
- Click the Add button ( this will allow you to add to this current list of users that have already been populated)
- Click Add button and add Group1
- Set the permissions for Group1
Will.
Do the following...
- nav to that folder (s:\ENG\ENG-Draw\ENG-Part)
- Right click, Properties
- Click Security Tab
- Click Advance button
- Click Change permissions button
- remove the check mark for "include inheritable permissions from this objects parent"
- Click the Add button ( this will allow you to add to this current list of users that have already been populated)
- Click Add button and add Group1
- Set the permissions for Group1
Will.
Active today
In your case 1st thing to do:
Ensure that share root has "authenticated users" have full control share permissions
disable permissions inheritance on root share folder advanced NTFS permissions with convert explicit option
Then grant "authenticated users" List folder contents permissions on root share
Remove any explicit groups if defined here on ACL
Now go to "Eng-Part" folder and disable inheritance and change authenticated users permissions scope (Applied to) to this Folder Only
Then add required group required access here
This process to followed for all other groups
This will ensure that group members will able to access only folders for which they have access
Also you may enable access based enumeration on share folder so that folders get hide from explorer for which user do not have permissions
http://heineborn.com/tech/enable-access-based-enumeration-in-windows-server-2012/
Ensure that share root has "authenticated users" have full control share permissions
disable permissions inheritance on root share folder advanced NTFS permissions with convert explicit option
Then grant "authenticated users" List folder contents permissions on root share
Remove any explicit groups if defined here on ACL
Now go to "Eng-Part" folder and disable inheritance and change authenticated users permissions scope (Applied to) to this Folder Only
Then add required group required access here
This process to followed for all other groups
This will ensure that group members will able to access only folders for which they have access
Also you may enable access based enumeration on share folder so that folders get hide from explorer for which user do not have permissions
http://heineborn.com/tech/enable-access-based-enumeration-in-windows-server-2012/
Thanks for the responses.
There are about 10 other dirs under Shares, (Sales, Prod, Quality, etc.) and then several under each one of them.
If I give full share permissions, and disable inheritance, I will have to assign/remove NTFS permissions manually to every subfolder, and then manually to every subfolder's subfolder.
ie Managers need full access to all folders, and the same groups may need access to other specific directories within the structure.
Assigning permissions manually will be a headache especially if a new folder is created.
Is there any other way?
Are you familiar with implementing the Traversal permission?
Thanks again,
There are about 10 other dirs under Shares, (Sales, Prod, Quality, etc.) and then several under each one of them.
If I give full share permissions, and disable inheritance, I will have to assign/remove NTFS permissions manually to every subfolder, and then manually to every subfolder's subfolder.
ie Managers need full access to all folders, and the same groups may need access to other specific directories within the structure.
Assigning permissions manually will be a headache especially if a new folder is created.
Is there any other way?
Are you familiar with implementing the Traversal permission?
Thanks again,
Active today
You leave Share permissions for Everyone to Full. You then only modify Security Permissions for Security only. depending on how granular you want to have this you will need to do this manually. The other option would be to create new Shares and apply permissions accordingly for each security groups.
Will.
Will.
Active today
Its not required, by disabling inheritance, you don't have to set permissions manually on sub folders
Sub folders still will get inherited permissions from root share
If manager group require full permissions, you can grant them Modify \ full NTFS permissions on folder root once, it will get propagated to all sub folders
I have asked you to disable inheritance on share root because it is best practice and only way to stop flowing drive level permissions on root share
Whatever explicit permissions you will apply on root share will not affected by disabling inheritance.
Check below article for best practices to setup share folders
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_17526-NTFS-File-System-Folder-ownership-problems-and-resolution.html
Sub folders still will get inherited permissions from root share
If manager group require full permissions, you can grant them Modify \ full NTFS permissions on folder root once, it will get propagated to all sub folders
I have asked you to disable inheritance on share root because it is best practice and only way to stop flowing drive level permissions on root share
Whatever explicit permissions you will apply on root share will not affected by disabling inheritance.
Check below article for best practices to setup share folders
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_17526-NTFS-File-System-Folder-ownership-problems-and-resolution.html
Featured Post
Managing Active Directory does not always have to be complicated. If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory.
If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month5 days, 11 hours left to enroll
627 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.