Share vs NTFS rights

It was my understanding that if I created a shared folder and gave everyone read rights then had NTFS rights on the folders inside the share that users would only be able to see/access the folders inside the share that they had NTFS rights to. It appears share rights are overriding NTFS rights.

Physical location
c:\usershare   security System, domain admins and administrators have full control

Share
usersshare security  everyone has read

Folders
c:\usershare\user1 admins and user1 have NTFS access
c:\usershare\user2 admins and user2 have NTFS access

However user 1 can access user2 data and user2 can access user1 data  

What I want is everyone to see the share and only the folders they have access to within the share. I missing something simple but don't see it
LVL 1
CdwalterOwnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

William FulksSystems Analyst & WebmasterCommented:
Share permissions should trump folder permissions.

Do user1 and user2 fall under any other groups?

Some screenshots of the permissions groups on each folder would be really helpful.
CdwalterOwnerAuthor Commented:
No other groups are involved, assume the folder attached is user1 -- User2 can read this folder even though they do not have NTFS rights to the folder. I don't want them to be able to see the other users folder much less open it
FolderPerm.png
CdwalterOwnerAuthor Commented:
maybe I'm going at this the wrong what here's what I want to do

everyone should be able to see usershare folder but only be able to see the folders below that that they have access to. I would prefer to have a share to the top folder. What's the best what to accomplish this
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

it_saigeDeveloperCommented:
What operating system is the server and what are the Forest/Domain functional levels?

-saige-
CdwalterOwnerAuthor Commented:
SBS2011 file server. just one domain. I know I had this working at one time
it_saigeDeveloperCommented:
What you are wanting to do is called Access-based Enumeration:

https://technet.microsoft.com/en-us/library/dd772681%28v=ws.10%29.aspx

It allows for you to *hide* files and folders that users do not have rights to access.

-saige-
CdwalterOwnerAuthor Commented:
Sounds like we are on the right track. I found the switch for the share in question and turned it on. However I don't see a change in access
Userbase.png
it_saigeDeveloperCommented:
You may need to have the users log off and login in order to see the changes reflected.

-saige-
CdwalterOwnerAuthor Commented:
I did a couple times, still don't see a change they can still get to folders/files they do not have NTFS rights to, but do have share access to
it_saigeDeveloperCommented:
Alright, lets dig a little deeper then.  If you can provide screen shots that would be most beneficial.

1.  What are the explicit share permissions?
2.  What are the explicit NTFS permissions (at the root level)?
3.  What are the explicit NTFS permissions (at one or more of the folder/file levels)?
4.  What are the effective NTFS permissions (at one or more of the folder/file levels)?

-saige-
it_saigeDeveloperCommented:
Also, did you propogate any changes to the structure after you made changes?

-saige-
CdwalterOwnerAuthor Commented:
1. Everyone change / read
2. System, Domain Admin, Administrators  Full Control
3. System, User1, Domain Admin, Administrator Full Control not inherited from parent
4.
SharePerm.jpg
TopFolderPerm.png
SubFolderPerm.png
CdwalterOwnerAuthor Commented:
Yes I applied security to all child objects on the Subfolder
CdwalterOwnerAuthor Commented:
Im more confused now, if I check effective permission on user1 folder for user 2 they have full control. I have not idea why
CdwalterOwnerAuthor Commented:
It looks like the top folder all users effective permissions are full control, have no idea where its pulling that from.
it_saigeDeveloperCommented:
Can you screen shot those effective permissions?

-saige-
William FulksSystems Analyst & WebmasterCommented:
On the User1 and User2 folders, under Security remove everything but User1 (for User1) and User2 (for User2) and the Administrators. You should only have two groups in each one when you're done.
CdwalterOwnerAuthor Commented:
used a test account that is basic user. Testaccess does not have ntfs rights to the subfolder yet its EP are full control
TopfolderEP.png
SubFolderEF.png
CdwalterOwnerAuthor Commented:
Do you think a reboot is required for any reason? If so I 'll have to wait till later tonight. I wouldn't think it would but I have seen some comments  that it might require a reboot
William FulksSystems Analyst & WebmasterCommented:
Please take a screenshot of the Member Of tab of TestAccess in AD. If it's different for user1 and user2, show screencaps for those, too.
it_saigeDeveloperCommented:
Also what groups are User1 and User2 members of?  Who is in the Administrators group?

-saige-
CdwalterOwnerAuthor Commented:
This is broke for everyone in the domain not just a couple users
Userperm.png
CdwalterOwnerAuthor Commented:
I'm user test access for all testing. It is purposely not in any admin groups
CdwalterOwnerAuthor Commented:
Could GPO be effecting this ?
William FulksSystems Analyst & WebmasterCommented:
Right...I am thinking it's something in the user level that's basically giving them way too much permission to the system. See if any of those groups are included in Administrators or Domain Admins.
CdwalterOwnerAuthor Commented:
This drive is mapped from profile tab in AD as the home dir
William FulksSystems Analyst & WebmasterCommented:
Now in AD pull up Administrators and Domain Admins and look at the Members tab of each group. See anything that shouldn't be in there or that coincides with the groups that your users are in?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CdwalterOwnerAuthor Commented:
non of the groups test user is in are in Domain admins or local admin groups
William FulksSystems Analyst & WebmasterCommented:
CdwalterOwnerAuthor Commented:
I may have found it --- let me go do some testing
William FulksSystems Analyst & WebmasterCommented:
Sorry for not catching that earlier, but SBS is not the same as regular Windows Server. I think you HAVE to go through the console for certain things to take properly.
CdwalterOwnerAuthor Commented:
You get the points, it looks like its working and it was not as bad as I thought only the Solana group which is a limited number of people was seeing everything, Thanks for your  help
CdwalterOwnerAuthor Commented:
stayed with it until we found the solution
William FulksSystems Analyst & WebmasterCommented:
You're welcome. Isn't that kind of stuff fun? At my work we had a group of @ 100 people that had somehow gotten corrupt so some worked and others didn't. It was a great joy to troubleshoot!
CdwalterOwnerAuthor Commented:
Yes I know when this got screwed up I need to give that group local admin rights to do some upgrades and I gave them more than I meant to
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Server Software

From novice to tech pro — start learning today.