Solved

Windows Share/Security permissions

Posted on 2016-11-19
20
74 Views
Last Modified: 2016-11-19
** I have created a Share named Company under windows C: drive and in the Advanced Sharing, I added Authenticated Users and gave them Read Permissions
 on Security Tab of the Company share  I gave  Authenticated Users: Read permission, Apply to:This folder only, and disabled inheritance
however I logged in to a different Computer as regular Domain user (User1),I can see all the Shares inside the drive  when I type \\servername.
Authenticated user should not even see the company share name, but just the Department folder under the Company Share
How can I fix that?

** I have created Department folder under the Company Share
I gave Authenticated users : Traverse folder/Execute file --List folder/Read Data--Read Attributes---Read Extended attributes.
Apply to: This folder only
however I logged in to a different Computer as regular Domain user(User1),I can see all the folders inside the drive  when I type \\servername\Company
How can I fix that?

**Under Department folder, I have created 2 subfolders Marketing , Sales
in AD , User1 is member of Marketing security group and User2 is member of Sales security group
on Marketing subfolders I have added Marketing group and gave it Modify permissions, and disabled inheritance
on Sales subfolders I have added Sales group and gave it Modify permissions, and disabled inheritance
 I logged in to a different Computer as regular Domain user(User1),I can see all the folders inside the drive  when I type \\servername\Company
I want User1 to see only Marketing subfolder and User2 to see only Sales subfolder
How can I fix that?

Thank you
0
Comment
Question by:jskfan
  • 9
  • 8
  • 2
  • +1
20 Comments
 
LVL 7

Accepted Solution

by:
No More earned 300 total points
ID: 41894131
ABE would help you with this

http://woshub.com/enable-access-based-enumeration-in-windows-server/

Also is there any reason why this couldn't be separate ?

Like share specific folder to specific department

You could also create the share name with $ with would make it invisible
0
 
LVL 4

Assisted Solution

by:Mumbai Tech
Mumbai Tech earned 50 total points
ID: 41894138
See if you login via domain users means you are authenticated user and you have read permissions. So you are able to see the folders.

To fix this you need to remove read permission for authenticated user and give only list folder content folder permissions.no need to give read permission only list folder content is required.
0
 

Author Comment

by:jskfan
ID: 41894142
- I mentioned that domain user can see other shares on the Server...Well I can take that back, since I created company Share in a DC , it is normal that domain user can see Sysvol and Netlogon shares...However domain user should not see the Company Share ,but should be able to see just the Department folder which is inside the Company share
So how to fix that ?(prevent domain user from seeing the Company share, but allow them to see what is inside of it)
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:jskfan
ID: 41894149
On Company share /Security tab...I even gave Authenticated Users just:

Traverse folder/Execute file --List folder/Read Data
they still can see the Company Share
0
 

Author Comment

by:jskfan
ID: 41894158
OK..I fixed the Company Share Access...by removing Authenticated users from Security Tab .
I just left AUthenticated users in the "Advanced Sharing" with Read permissions.
So now domain users can only see what is inside the Department folder under Company share.

I mean:
\\servername\Company .......not allowed for domain users
\\servername\Company\Department..........it is allowed for domain users

Oufff... FIxed

Now I need to work on the subfolders under Department folder

When domain users member of the Marketing group access \\servername\Company\Department.
they should see only the Marketing group, not other folders they do not have permissions on

So far I cannot fix it

Any Help ?
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41894159
You need to create departmental security groups and apply these  groups to each of your specific departmental folders exactly the way you where trying  you did with authenticated user's.   You do not want to ever use authenticated user's group unless you want everyone that is a member of your domain to have access to it.

Are you familiar with this method?  If not I can put together a quick how to:
0
 

Author Comment

by:jskfan
ID: 41894171
On Marketing folder there is only Marketing security group
On Sales folder there is only Sales security group

if user member of Marketing group maps to \\Servername\Company\Department, they should see just Marketing folder
but it is not working
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41894177
would you be able to post some screenshots of the folder security settings?

  1. Was the security group created after the user has already logged on?
  2. Is the user a member of the group and was the user added after the user logged on?
If either are true you need to log off and back for security groups to apply.
0
 

Author Comment

by:jskfan
ID: 41894192
User was already member of security group

You would think at the Marketing folder since only the Marketing security groups has permissions on it, and the inheritance is disable, it should be hidden from other users
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41894198
I may be misunderstanding, but are you not able access it or others are seeing the folder?
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41894200
As someone suggested to use ABE (Access Base Emulation).  This will only expose the folders that the users that have rights to the folder.
 
https://technet.microsoft.com/en-us/library/dd772681(WS.10).aspx
0
 

Author Comment

by:jskfan
ID: 41894207
I just removed authenticated users from Department folders.
Marketing users can can see just what is inside the Marketing folders
\\servername\Company\Department\Marketing

it is too tight  though

I want Marketing group to be able to see the Marketing folder before they open it. But just Marketing folder, not Sales
0
 

Author Comment

by:jskfan
ID: 41894230
*Company(Share)
*Department
 - Marketing
 - Sales

I want Marketing Security group , when they Map to \\servername\Company\Department,  they will be able to see
-Marketing

The reason I want that is , because I need to add  a couple of  folders under Department that Marketing group needs to see before they decide to open them

So L: Drive , will be mapped as:
\\servername\Company\Department
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41894247
Here is my example for you:

Share out the Company folder
Give Read & List rights to only to the Department folder
Give rights to the user or group to the Sub-department folder

rights2rights1rights3rights4
0
 

Author Comment

by:jskfan
ID: 41894258
how did you block Marketing group from seeing HR folder under Department ?
0
 
LVL 22

Assisted Solution

by:yo_bee
yo_bee earned 150 total points
ID: 41894275
Making user the Access Base Emulation was enabled: Please follow the link I posted for how to make sure that this is enabled on the share.

rights5
Once enabled whatever security you apply to the folder HR or Market will dictate who see it.

Please also follow my screenshots as they highlight the setting I applied.
0
 

Author Closing Comment

by:jskfan
ID: 41894288
That did it..You are Genius Guys..
Thank you very much
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41894295
I get 150 points. Seems a bit unfair considering the effort and information I supplied.
0
 
LVL 7

Expert Comment

by:No More
ID: 41894304
Yo_bee I think it's unfair that you got any points, since I gave the solution to ABE with link, as first person
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 41894322
Funny thing Dave before I saw any points I was going to make a suggestion that the asker of the question at least split the point with you and me.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question