We help IT Professionals succeed at work.

Share vs NTFS rights

It was my understanding that if I created a shared folder and gave everyone read rights then had NTFS rights on the folders inside the share that users would only be able to see/access the folders inside the share that they had NTFS rights to. It appears share rights are overriding NTFS rights.

Physical location
c:\usershare   security System, domain admins and administrators have full control

Share
usersshare security  everyone has read

Folders
c:\usershare\user1 admins and user1 have NTFS access
c:\usershare\user2 admins and user2 have NTFS access

However user 1 can access user2 data and user2 can access user1 data  

What I want is everyone to see the share and only the folders they have access to within the share. I missing something simple but don't see it
Comment
Watch Question

William FulksIT Services Analyst

Commented:
Share permissions should trump folder permissions.

Do user1 and user2 fall under any other groups?

Some screenshots of the permissions groups on each folder would be really helpful.
CdwalterOwner

Author

Commented:
No other groups are involved, assume the folder attached is user1 -- User2 can read this folder even though they do not have NTFS rights to the folder. I don't want them to be able to see the other users folder much less open it
FolderPerm.png
CdwalterOwner

Author

Commented:
maybe I'm going at this the wrong what here's what I want to do

everyone should be able to see usershare folder but only be able to see the folders below that that they have access to. I would prefer to have a share to the top folder. What's the best what to accomplish this
it_saigeDeveloper
Distinguished Expert 2019

Commented:
What operating system is the server and what are the Forest/Domain functional levels?

-saige-
CdwalterOwner

Author

Commented:
SBS2011 file server. just one domain. I know I had this working at one time
it_saigeDeveloper
Distinguished Expert 2019

Commented:
What you are wanting to do is called Access-based Enumeration:

https://technet.microsoft.com/en-us/library/dd772681%28v=ws.10%29.aspx

It allows for you to *hide* files and folders that users do not have rights to access.

-saige-
CdwalterOwner

Author

Commented:
Sounds like we are on the right track. I found the switch for the share in question and turned it on. However I don't see a change in access
Userbase.png
it_saigeDeveloper
Distinguished Expert 2019

Commented:
You may need to have the users log off and login in order to see the changes reflected.

-saige-
CdwalterOwner

Author

Commented:
I did a couple times, still don't see a change they can still get to folders/files they do not have NTFS rights to, but do have share access to
it_saigeDeveloper
Distinguished Expert 2019

Commented:
Alright, lets dig a little deeper then.  If you can provide screen shots that would be most beneficial.

1.  What are the explicit share permissions?
2.  What are the explicit NTFS permissions (at the root level)?
3.  What are the explicit NTFS permissions (at one or more of the folder/file levels)?
4.  What are the effective NTFS permissions (at one or more of the folder/file levels)?

-saige-
it_saigeDeveloper
Distinguished Expert 2019

Commented:
Also, did you propogate any changes to the structure after you made changes?

-saige-
CdwalterOwner

Author

Commented:
1. Everyone change / read
2. System, Domain Admin, Administrators  Full Control
3. System, User1, Domain Admin, Administrator Full Control not inherited from parent
4.
SharePerm.jpg
TopFolderPerm.png
SubFolderPerm.png
CdwalterOwner

Author

Commented:
Yes I applied security to all child objects on the Subfolder
CdwalterOwner

Author

Commented:
Im more confused now, if I check effective permission on user1 folder for user 2 they have full control. I have not idea why
CdwalterOwner

Author

Commented:
It looks like the top folder all users effective permissions are full control, have no idea where its pulling that from.
it_saigeDeveloper
Distinguished Expert 2019

Commented:
Can you screen shot those effective permissions?

-saige-
William FulksIT Services Analyst

Commented:
On the User1 and User2 folders, under Security remove everything but User1 (for User1) and User2 (for User2) and the Administrators. You should only have two groups in each one when you're done.
CdwalterOwner

Author

Commented:
used a test account that is basic user. Testaccess does not have ntfs rights to the subfolder yet its EP are full control
TopfolderEP.png
SubFolderEF.png
CdwalterOwner

Author

Commented:
Do you think a reboot is required for any reason? If so I 'll have to wait till later tonight. I wouldn't think it would but I have seen some comments  that it might require a reboot
William FulksIT Services Analyst

Commented:
Please take a screenshot of the Member Of tab of TestAccess in AD. If it's different for user1 and user2, show screencaps for those, too.
it_saigeDeveloper
Distinguished Expert 2019

Commented:
Also what groups are User1 and User2 members of?  Who is in the Administrators group?

-saige-
CdwalterOwner

Author

Commented:
This is broke for everyone in the domain not just a couple users
Userperm.png
CdwalterOwner

Author

Commented:
I'm user test access for all testing. It is purposely not in any admin groups
CdwalterOwner

Author

Commented:
Could GPO be effecting this ?
William FulksIT Services Analyst

Commented:
Right...I am thinking it's something in the user level that's basically giving them way too much permission to the system. See if any of those groups are included in Administrators or Domain Admins.
CdwalterOwner

Author

Commented:
This drive is mapped from profile tab in AD as the home dir
IT Services Analyst
Commented:
Now in AD pull up Administrators and Domain Admins and look at the Members tab of each group. See anything that shouldn't be in there or that coincides with the groups that your users are in?
CdwalterOwner

Author

Commented:
non of the groups test user is in are in Domain admins or local admin groups
CdwalterOwner

Author

Commented:
I may have found it --- let me go do some testing
William FulksIT Services Analyst

Commented:
Sorry for not catching that earlier, but SBS is not the same as regular Windows Server. I think you HAVE to go through the console for certain things to take properly.
CdwalterOwner

Author

Commented:
You get the points, it looks like its working and it was not as bad as I thought only the Solana group which is a limited number of people was seeing everything, Thanks for your  help
CdwalterOwner

Author

Commented:
stayed with it until we found the solution
William FulksIT Services Analyst

Commented:
You're welcome. Isn't that kind of stuff fun? At my work we had a group of @ 100 people that had somehow gotten corrupt so some worked and others didn't. It was a great joy to troubleshoot!
CdwalterOwner

Author

Commented:
Yes I know when this got screwed up I need to give that group local admin rights to do some upgrades and I gave them more than I meant to