permission questions

I have users that have access via the authenticated users group with both read\write permissions.

Once we figure it out, we only want the authenticated users to be able to traverse to the folder the have permissions to

and not list the other folders...

so lets say share is in server1\DEPT

DEPT share could have 100 folders, I only want them to see what they have access to...

Also some servers are 2003, 2008, 2012

If a user has list permissions, does that mean they can open and read files if they exist in the root folder DEPT?

We might want users to be able to traverse and list -- but not open and read/write subfolders, and definately not files in root or anywhere they dont have access too.

so a few parts
Is list/read the same thing  2003,2008,2012
what does having traverse and list do
how to eliminate folders they dont have access to -- enumerate?
LVL 5
IndyrbAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kevinhsiehCommented:
You need to turn on Access Based Enumeration (ABE) on your servers. Procedure varies per server OS.

The easiest thing to do is do disable NTFS inheritance on any folder you want to restrict access to, and then only give permission to the appropriate group.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lionel MMSmall Business IT ConsultantCommented:
OK let me see if I understand what you are asking. So you have a server1\DEPT share and in that share you have something like this
server1\DEPT\folder1
server1\DEPT\folder2
server1\DEPT\folder3 and you want some users to be able to see only folder 1 & 3 but not folder 2, is that right? Well that is not possible with this directory structure. Giving them LIST on server1\DEPT\ means they can see what is under DEPT. If you don't want them to see certain folders then you would have to change the directory structure to something like server1\DEPT\Can-See\folder1 and server1\DEPT\Cannot-See\folder2 and then don't give them LIST permission on the cannot-see folder. So they will see "can-see" and will not see "cannot-see" folder under DEPT; If they click on cannot-see then they won't see any folders under it. Is this what you are asking?
0
kevinhsiehCommented:
https://technet.microsoft.com/en-us/library/cc784710(v=ws.10).aspx

"Access-based Enumeration is a new feature included with Windows Server 2003 Service Pack 1. This feature allows users of Windows Server 2003–based file servers to list only the files and folders to which they have access when browsing content on the file server. This eliminates user confusion that can be caused when users connect to a file server and encounter a large number of files and folders that they cannot access."
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

IndyrbAuthor Commented:
So here is a little tid bit

We have olderserver1 and we need to move to newserver1

we used robocopy,

@echo off
cls

set src=\\oldserver1\f$\dept\
set dst=E:\Dept01\Dept\   (on newserver1)
set swt=/MIR /ZB /SECFIX /TIMFIX /COPYALL /DCOPY:T /MT:128 /XO /R:100 /W:30 /NS /NC /NFL /NDL /NP /ETA /TEE
set log=C:\temp\robocopy_Dept1_log.txt
robocopy %src% %dst% %swt% /log:"%log%"

Open in new window


No when we compare the size of the old folder it is way larger, and the files are compressed.

On the newserver the E:\ drive looks like it has a lot of content, however the Dept1 folder (right click) shows way less in size.

I assume there is folders that we don't have permissions to that is not counting the space.

Do we need to have full access to all folders when copying the data -- and then how do we fix security on the newserver1.

I agree with access enumeration on the new server, but somehow permissions are all wacked out.. not sure what is what
0
IndyrbAuthor Commented:
the robocopy doesn't recreate shares, with permissions. any vbscript or powershell you can show code or send link
0
kevinhsiehCommented:
When you used robocopy, was it from an elevated command prompt? Your switches look good. The /zb says to use backup mode, which uses the backup permission. The log should say how many files were copied, skipped, etc. and the size of the copy job.

When checking the size of the target directory, you need to run explorer elevated, or do it from another workstation and check the folder size of \\newserver\e$\Dept01
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.