Solved

Windows Share/Security permissions

Posted on 2016-11-19
20
37 Views
Last Modified: 2016-11-19
** I have created a Share named Company under windows C: drive and in the Advanced Sharing, I added Authenticated Users and gave them Read Permissions
 on Security Tab of the Company share  I gave  Authenticated Users: Read permission, Apply to:This folder only, and disabled inheritance
however I logged in to a different Computer as regular Domain user (User1),I can see all the Shares inside the drive  when I type \\servername.
Authenticated user should not even see the company share name, but just the Department folder under the Company Share
How can I fix that?

** I have created Department folder under the Company Share
I gave Authenticated users : Traverse folder/Execute file --List folder/Read Data--Read Attributes---Read Extended attributes.
Apply to: This folder only
however I logged in to a different Computer as regular Domain user(User1),I can see all the folders inside the drive  when I type \\servername\Company
How can I fix that?

**Under Department folder, I have created 2 subfolders Marketing , Sales
in AD , User1 is member of Marketing security group and User2 is member of Sales security group
on Marketing subfolders I have added Marketing group and gave it Modify permissions, and disabled inheritance
on Sales subfolders I have added Sales group and gave it Modify permissions, and disabled inheritance
 I logged in to a different Computer as regular Domain user(User1),I can see all the folders inside the drive  when I type \\servername\Company
I want User1 to see only Marketing subfolder and User2 to see only Sales subfolder
How can I fix that?

Thank you
0
Comment
Question by:jskfan
  • 9
  • 8
  • 2
  • +1
20 Comments
 
LVL 6

Accepted Solution

by:
No More earned 300 total points
Comment Utility
ABE would help you with this

http://woshub.com/enable-access-based-enumeration-in-windows-server/

Also is there any reason why this couldn't be separate ?

Like share specific folder to specific department

You could also create the share name with $ with would make it invisible
0
 
LVL 2

Assisted Solution

by:Mumbai Tech
Mumbai Tech earned 50 total points
Comment Utility
See if you login via domain users means you are authenticated user and you have read permissions. So you are able to see the folders.

To fix this you need to remove read permission for authenticated user and give only list folder content folder permissions.no need to give read permission only list folder content is required.
0
 

Author Comment

by:jskfan
Comment Utility
- I mentioned that domain user can see other shares on the Server...Well I can take that back, since I created company Share in a DC , it is normal that domain user can see Sysvol and Netlogon shares...However domain user should not see the Company Share ,but should be able to see just the Department folder which is inside the Company share
So how to fix that ?(prevent domain user from seeing the Company share, but allow them to see what is inside of it)
0
 

Author Comment

by:jskfan
Comment Utility
On Company share /Security tab...I even gave Authenticated Users just:

Traverse folder/Execute file --List folder/Read Data
they still can see the Company Share
0
 

Author Comment

by:jskfan
Comment Utility
OK..I fixed the Company Share Access...by removing Authenticated users from Security Tab .
I just left AUthenticated users in the "Advanced Sharing" with Read permissions.
So now domain users can only see what is inside the Department folder under Company share.

I mean:
\\servername\Company .......not allowed for domain users
\\servername\Company\Department..........it is allowed for domain users

Oufff... FIxed

Now I need to work on the subfolders under Department folder

When domain users member of the Marketing group access \\servername\Company\Department.
they should see only the Marketing group, not other folders they do not have permissions on

So far I cannot fix it

Any Help ?
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
You need to create departmental security groups and apply these  groups to each of your specific departmental folders exactly the way you where trying  you did with authenticated user's.   You do not want to ever use authenticated user's group unless you want everyone that is a member of your domain to have access to it.

Are you familiar with this method?  If not I can put together a quick how to:
0
 

Author Comment

by:jskfan
Comment Utility
On Marketing folder there is only Marketing security group
On Sales folder there is only Sales security group

if user member of Marketing group maps to \\Servername\Company\Department, they should see just Marketing folder
but it is not working
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
would you be able to post some screenshots of the folder security settings?

  1. Was the security group created after the user has already logged on?
  2. Is the user a member of the group and was the user added after the user logged on?
If either are true you need to log off and back for security groups to apply.
0
 

Author Comment

by:jskfan
Comment Utility
User was already member of security group

You would think at the Marketing folder since only the Marketing security groups has permissions on it, and the inheritance is disable, it should be hidden from other users
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
I may be misunderstanding, but are you not able access it or others are seeing the folder?
0
Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
As someone suggested to use ABE (Access Base Emulation).  This will only expose the folders that the users that have rights to the folder.
 
https://technet.microsoft.com/en-us/library/dd772681(WS.10).aspx
0
 

Author Comment

by:jskfan
Comment Utility
I just removed authenticated users from Department folders.
Marketing users can can see just what is inside the Marketing folders
\\servername\Company\Department\Marketing

it is too tight  though

I want Marketing group to be able to see the Marketing folder before they open it. But just Marketing folder, not Sales
0
 

Author Comment

by:jskfan
Comment Utility
*Company(Share)
*Department
 - Marketing
 - Sales

I want Marketing Security group , when they Map to \\servername\Company\Department,  they will be able to see
-Marketing

The reason I want that is , because I need to add  a couple of  folders under Department that Marketing group needs to see before they decide to open them

So L: Drive , will be mapped as:
\\servername\Company\Department
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
Here is my example for you:

Share out the Company folder
Give Read & List rights to only to the Department folder
Give rights to the user or group to the Sub-department folder

rights2rights1rights3rights4
0
 

Author Comment

by:jskfan
Comment Utility
how did you block Marketing group from seeing HR folder under Department ?
0
 
LVL 21

Assisted Solution

by:yo_bee
yo_bee earned 150 total points
Comment Utility
Making user the Access Base Emulation was enabled: Please follow the link I posted for how to make sure that this is enabled on the share.

rights5
Once enabled whatever security you apply to the folder HR or Market will dictate who see it.

Please also follow my screenshots as they highlight the setting I applied.
0
 

Author Closing Comment

by:jskfan
Comment Utility
That did it..You are Genius Guys..
Thank you very much
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
I get 150 points. Seems a bit unfair considering the effort and information I supplied.
0
 
LVL 6

Expert Comment

by:No More
Comment Utility
Yo_bee I think it's unfair that you got any points, since I gave the solution to ABE with link, as first person
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
Funny thing Dave before I saw any points I was going to make a suggestion that the asker of the question at least split the point with you and me.
0

Featured Post

Want to promote your upcoming event?

Is your company attending an event or exhibiting at a trade show soon? Are you speaking at a conference? Spread the word by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now