Folder permissions on 2008

I need some design help on a share setup.

I have a share at work with domain users having List folder read/data NTFS permissions. Below that are various subfolders that have domain local groups with NTFS permissions.
When you browse the share you can only see the folders in which you have access to.
Example:
\\server\share\folder1 (if I am a member of the group I only see this folder)
\\server\share\folder2

I want to be able to give permissions one more level down, but still only have the users see the folder they have access to.
example: \\server\share\folder1\subfolder1
I don't want them to have access to subfolder2 or subfolder3

I gave the DLG of the sub group:
List folder read/data on Folder1
Read and Execute on subfolder1.

When logging on as a member of the subfolder group and typing \\server\share I don't see folder1. If I type the full UNC I do have access to folder1 and to drill to subfolder1.

What NTFS permission do I need to apply at the top or on folder 1 see it?

Comments

  • ClaymooreClaymoore Member Posts: 1,637
    There are two concepts with which you need to be familiar: Access-Based Enumeration and Bypass Traverse Checking

    Managing Permissions for Shared Folders (Access Based Enumeration)
    Access-Based Enumeration in Windows Server
    Bypass traverse checking: Security Configuration Editor; Security Services

    You are already seeing Bypass Traverse Checking in action when you can drill down to the subfolders by typing in the full path even when you can't browse the folder above them. Access Based Enumeration was added in 2003 R2 but was around in Novell back in the 90s. This feature hides folders to which you do not have read access. It does not hide shares, only folders underneath them.

    I understand that you want to use a setup of [URL="file://\\server\share\folder\subfolderXX"]\\server\share\folder\subfolderXX[/URL] but I recommend you try [URL="file://\\server\share\subfolderXX"]\\server\share\subfolderXX[/URL] instead. If you enable access based enumeration on the share, the users will only see the folders to which they have access. If you have keep the folder\subfolder setup you have now, you will need to break permission inheritance on each subfolder to remove the read permission and still use ABE to prevent the users from seeing all the subfolders. If you break inheritance, managing the permissions will be a mess forever.

    User home drives are a great use for this setup, especially since defining the home drive in ADUC creates the folders and assigns permission to the user. You can use [URL="file://\\server\share$\user"]\\server\share$\user[/URL] to hide everything or you can use \\server\share\user so the share is visible but ABE hides the other user folders.
  • it2bit2b Member Posts: 117
    Claymoore wrote: »
    I understand that you want to use a setup of [URL="file://\\server\share\folder\subfolderXX"]\\server\share\folder\subfolderXX[/URL] but I recommend you try [URL="file://\\server\share\subfolderXX"]\\server\share\subfolderXX[/URL] instead.

    I think I understand what you're saying.

    Here's the situation. Our standard setup is \\server\Groups set up with folders A,B,C.

    The data owner of Folder B can only see her folder (ABE must be enabled), which is fine. She wants a group of users to have read access to 1 sub folder in folder B.

    How can I let them drill to that subfolder? Or if they are going to map a drive, will I just need to give them the full UNC path?
Sign In or Register to comment.