Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Windows Share/Security permissions

Posted on 2016-11-19
20
Medium Priority
?
114 Views
Last Modified: 2016-11-19
** I have created a Share named Company under windows C: drive and in the Advanced Sharing, I added Authenticated Users and gave them Read Permissions
 on Security Tab of the Company share  I gave  Authenticated Users: Read permission, Apply to:This folder only, and disabled inheritance
however I logged in to a different Computer as regular Domain user (User1),I can see all the Shares inside the drive  when I type \\servername.
Authenticated user should not even see the company share name, but just the Department folder under the Company Share
How can I fix that?

** I have created Department folder under the Company Share
I gave Authenticated users : Traverse folder/Execute file --List folder/Read Data--Read Attributes---Read Extended attributes.
Apply to: This folder only
however I logged in to a different Computer as regular Domain user(User1),I can see all the folders inside the drive  when I type \\servername\Company
How can I fix that?

**Under Department folder, I have created 2 subfolders Marketing , Sales
in AD , User1 is member of Marketing security group and User2 is member of Sales security group
on Marketing subfolders I have added Marketing group and gave it Modify permissions, and disabled inheritance
on Sales subfolders I have added Sales group and gave it Modify permissions, and disabled inheritance
 I logged in to a different Computer as regular Domain user(User1),I can see all the folders inside the drive  when I type \\servername\Company
I want User1 to see only Marketing subfolder and User2 to see only Sales subfolder
How can I fix that?

Thank you
0
Comment
Question by:jskfan
  • 9
  • 8
  • 2
  • +1
20 Comments
 
LVL 7

Accepted Solution

by:
No More earned 1200 total points
ID: 41894131
ABE would help you with this

http://woshub.com/enable-access-based-enumeration-in-windows-server/

Also is there any reason why this couldn't be separate ?

Like share specific folder to specific department

You could also create the share name with $ with would make it invisible
0
 
LVL 4

Assisted Solution

by:Mumbai Tech
Mumbai Tech earned 200 total points
ID: 41894138
See if you login via domain users means you are authenticated user and you have read permissions. So you are able to see the folders.

To fix this you need to remove read permission for authenticated user and give only list folder content folder permissions.no need to give read permission only list folder content is required.
0
 

Author Comment

by:jskfan
ID: 41894142
- I mentioned that domain user can see other shares on the Server...Well I can take that back, since I created company Share in a DC , it is normal that domain user can see Sysvol and Netlogon shares...However domain user should not see the Company Share ,but should be able to see just the Department folder which is inside the Company share
So how to fix that ?(prevent domain user from seeing the Company share, but allow them to see what is inside of it)
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 

Author Comment

by:jskfan
ID: 41894149
On Company share /Security tab...I even gave Authenticated Users just:

Traverse folder/Execute file --List folder/Read Data
they still can see the Company Share
0
 

Author Comment

by:jskfan
ID: 41894158
OK..I fixed the Company Share Access...by removing Authenticated users from Security Tab .
I just left AUthenticated users in the "Advanced Sharing" with Read permissions.
So now domain users can only see what is inside the Department folder under Company share.

I mean:
\\servername\Company .......not allowed for domain users
\\servername\Company\Department..........it is allowed for domain users

Oufff... FIxed

Now I need to work on the subfolders under Department folder

When domain users member of the Marketing group access \\servername\Company\Department.
they should see only the Marketing group, not other folders they do not have permissions on

So far I cannot fix it

Any Help ?
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 41894159
You need to create departmental security groups and apply these  groups to each of your specific departmental folders exactly the way you where trying  you did with authenticated user's.   You do not want to ever use authenticated user's group unless you want everyone that is a member of your domain to have access to it.

Are you familiar with this method?  If not I can put together a quick how to:
0
 

Author Comment

by:jskfan
ID: 41894171
On Marketing folder there is only Marketing security group
On Sales folder there is only Sales security group

if user member of Marketing group maps to \\Servername\Company\Department, they should see just Marketing folder
but it is not working
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 41894177
would you be able to post some screenshots of the folder security settings?

  1. Was the security group created after the user has already logged on?
  2. Is the user a member of the group and was the user added after the user logged on?
If either are true you need to log off and back for security groups to apply.
0
 

Author Comment

by:jskfan
ID: 41894192
User was already member of security group

You would think at the Marketing folder since only the Marketing security groups has permissions on it, and the inheritance is disable, it should be hidden from other users
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 41894198
I may be misunderstanding, but are you not able access it or others are seeing the folder?
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 41894200
As someone suggested to use ABE (Access Base Emulation).  This will only expose the folders that the users that have rights to the folder.
 
https://technet.microsoft.com/en-us/library/dd772681(WS.10).aspx
0
 

Author Comment

by:jskfan
ID: 41894207
I just removed authenticated users from Department folders.
Marketing users can can see just what is inside the Marketing folders
\\servername\Company\Department\Marketing

it is too tight  though

I want Marketing group to be able to see the Marketing folder before they open it. But just Marketing folder, not Sales
0
 

Author Comment

by:jskfan
ID: 41894230
*Company(Share)
*Department
 - Marketing
 - Sales

I want Marketing Security group , when they Map to \\servername\Company\Department,  they will be able to see
-Marketing

The reason I want that is , because I need to add  a couple of  folders under Department that Marketing group needs to see before they decide to open them

So L: Drive , will be mapped as:
\\servername\Company\Department
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 41894247
Here is my example for you:

Share out the Company folder
Give Read & List rights to only to the Department folder
Give rights to the user or group to the Sub-department folder

rights2rights1rights3rights4
0
 

Author Comment

by:jskfan
ID: 41894258
how did you block Marketing group from seeing HR folder under Department ?
0
 
LVL 24

Assisted Solution

by:yo_bee
yo_bee earned 600 total points
ID: 41894275
Making user the Access Base Emulation was enabled: Please follow the link I posted for how to make sure that this is enabled on the share.

rights5
Once enabled whatever security you apply to the folder HR or Market will dictate who see it.

Please also follow my screenshots as they highlight the setting I applied.
0
 

Author Closing Comment

by:jskfan
ID: 41894288
That did it..You are Genius Guys..
Thank you very much
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 41894295
I get 150 points. Seems a bit unfair considering the effort and information I supplied.
0
 
LVL 7

Expert Comment

by:No More
ID: 41894304
Yo_bee I think it's unfair that you got any points, since I gave the solution to ABE with link, as first person
0
 
LVL 24

Expert Comment

by:yo_bee
ID: 41894322
Funny thing Dave before I saw any points I was going to make a suggestion that the asker of the question at least split the point with you and me.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question