asked on
Access Based Enumeration 2008- different from different share instances
I have, or so I thought, limited enumeration based on NTFS. The shared folder in question is hung off a server and uses two instances \\server\new shared\ and \\server\newshared\ for the same folder. Note the instance names differ by the presence or lack of a space.
If a user hits the “new shared” with a space, their view is limited based on NTFS perms. Folders to which they have no permission are not seen. However, if a user hits “newshared” with no space, they can see all the folders contained. They are still prevented from accessing the subfolders as they should by NTFS, but now they can see them.
Share level permissions for “New Shared” are, Authenticated Users, domain Users, and Administrators(local) all full control. The share level permissions for “NewShared” are Authenticated Users, Domain Admins, and Domain Users, again all full control.
As the GPO shared drive mapping is through “new shared” I’m probably going to just kill the “newshared” instance, but I would like to understand. The mapping GPO is set to “Run in logged on user’s security context”, Show this drive, show all drives, reconnect, with a designated drive letter mapped to “New Shared”.
Clients are Win7-32. Server is 2008R2 with file server and print server roles.
If a user hits the “new shared” with a space, their view is limited based on NTFS perms. Folders to which they have no permission are not seen. However, if a user hits “newshared” with no space, they can see all the folders contained. They are still prevented from accessing the subfolders as they should by NTFS, but now they can see them.
Share level permissions for “New Shared” are, Authenticated Users, domain Users, and Administrators(local) all full control. The share level permissions for “NewShared” are Authenticated Users, Domain Admins, and Domain Users, again all full control.
As the GPO shared drive mapping is through “new shared” I’m probably going to just kill the “newshared” instance, but I would like to understand. The mapping GPO is set to “Run in logged on user’s security context”, Show this drive, show all drives, reconnect, with a designated drive letter mapped to “New Shared”.
Clients are Win7-32. Server is 2008R2 with file server and print server roles.
Windows Server 2008Microsoft Server OSWindows 7
Last Comment
Steve Whitcher
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.