9
How to setup share and NTFS permissions to allow folder listing only but with full access to a specific folder?
I want to grant User X full access permissions to a specific folder on a network share.
The structure is as follows:
The requirements are
1. Shared$ should be read only
2. User X should be able to navigate in the folder structure
3. User X should have full permissions to files and folders in Folder D
4. other files like File 1 should not be visible / readable / executable
What would be the correct setup of share and NTFS permissions to meet these requirements?
The structure is as follows:
Server
Drive C
Folder Shared -> this is a hidden share and accessible via \\Server\Shared$
Folder A
Folder B
File 1
Folder C
Folder D -> User X needs full access permissions here
The requirements are
1. Shared$ should be read only
2. User X should be able to navigate in the folder structure
3. User X should have full permissions to files and folders in Folder D
4. other files like File 1 should not be visible / readable / executable
What would be the correct setup of share and NTFS permissions to meet these requirements?
Auf Facebook teilen
Auf Twitter teilen
Auf Reddit teilen
Auf Linkedin teilenBitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben
Content-ID: 295787
Url: https://administrator.de/contentid/295787
Ausgedruckt am: 22.11.2024 um 06:11 Uhr
9 Kommentare
Neuester Kommentar
Hi.
The share-permissions must be at minimum Change or FullAccess for UserX or a group he is in, otherwise UserX will never be able to change anything, also in the folder he has FullAccess in the ACLs.
But always remember that it is always best Practise to assign rights to groups an not to single Users, otherwise you will end up in chaos soon. So best practice is to follow AGDLP-Principle.
Regards,
jodel32
The share-permissions must be at minimum Change or FullAccess for UserX or a group he is in, otherwise UserX will never be able to change anything, also in the folder he has FullAccess in the ACLs.
2. User X should be able to navigate in the folder structure
In the ACLs assign him or better a group list and read access to the root of the tree and Subfolders (In the propagation field choose that this right is only inherited to folders and Subfolders, not files) 3. User X should have full permissions to files and folders in Folder D
Assign him or better a group full Access to Folder D (Subfolders and Files) 4. other files like File 1 should not be visible / readable / executable
Now enable Access Based Enumeration for the share, and he can navigate to his Folder but cannot see files until he reaches Folder D.But always remember that it is always best Practise to assign rights to groups an not to single Users, otherwise you will end up in chaos soon. So best practice is to follow AGDLP-Principle.
Regards,
jodel32
1
Hi jodel32,
thank you for your effort but that's exactly what i have tried already except step 4, ABE is new to me.
I tried following your instructions step by step but as soon as a user has Change or FullAccess to Shared$ the user can do whatever he / she wants, e.g. create files. Then i had the idea to deny the Change permissions on ACL level but then i can't re-enable these permissions for Folder D.
Would you mind to take some screenshots to depict each of your instructions? Perhaps i misunderstand something here.
edit
nah i got it, will post the solution later for documentation purposes.
thank you for your effort but that's exactly what i have tried already except step 4, ABE is new to me.
I tried following your instructions step by step but as soon as a user has Change or FullAccess to Shared$ the user can do whatever he / she wants, e.g. create files. Then i had the idea to deny the Change permissions on ACL level but then i can't re-enable these permissions for Folder D.
Would you mind to take some screenshots to depict each of your instructions? Perhaps i misunderstand something here.
edit
nah i got it, will post the solution later for documentation purposes.
You need to tweek the permissions on the NTFS-ACL side:
So here my example step by step: (sorry for the screenshots in german
, but you should be able to reproduce it)
Finished.The user can navigate to his folder but does not see any files in the folders, until he accesses Folder D. Works as designed
With ABE enabled the users can only see the Items, they have access rights for.
Regards
jodel32
So here my example step by step: (sorry for the screenshots in german
, but you should be able to reproduce it)
Sharefolder: C:\TESTSHARE has the following permissions (inheritance from top is disabled), users have only Read-Access to folders and subfolders but not files:
In Folder D add a group wich has full access on subfolders and files in wich your user is a member.
Now enable Access Based Enumeration on the share
Finished.The user can navigate to his folder but does not see any files in the folders, until he accesses Folder D. Works as designed
With ABE enabled the users can only see the Items, they have access rights for.
Regards
jodel32
1
Hi jodel32,
thx again for your effort, i also have created a document which describes my setup, it's similar to your screenshots. How do i add an attachment here? I don't have any options other than writing some text ?!?
Here is another issue related to this topic. Something is not right with the permissions when User X creates a document (lets say File 2.txt) in Folder D as i cannot access these elements fully as administrator. With fully i mean that i get strange cannot assign permissions dialogs or the following console output when running
What is causing this?
thx again for your effort, i also have created a document which describes my setup, it's similar to your screenshots. How do i add an attachment here? I don't have any options other than writing some text ?!?
Here is another issue related to this topic. Something is not right with the permissions when User X creates a document (lets say File 2.txt) in Folder D as i cannot access these elements fully as administrator. With fully i mean that i get strange cannot assign permissions dialogs or the following console output when running
Accesschk "User X" C:\Shared -s
R C:\Shared\Folder A
R C:\Shared\Folder A\Folder B
R C:\Shared\Folder A\Folder C
C:\Shared\Folder A\Folder B\File 1.txt
RW C:\Shared\Folder A\Folder C\Folder D
C:\Shared\Folder A\Folder C\Folder D\File 2.txt
Error getting security:
Access deniedWhat is causing this?
What is causing this?
This can be caused when you disable inheritance on Folder D and remove the Administrators Group from the ACL.Also very important: When you assign full access in Folder D the user can change the ACL on his files and thus can remove then Admin from the ACL of the files, but only if he has "full access" on the share level permissions !! So if you dont want your Users change permissions always use only "change" at share level permissions .
How do i add an attachment here? I don't have any options other than writing some text ?!?
You can upload images in your root-posting if you edit it. Then you can copy the code and paste it anywhere in the comments. I know this is ugly, but it will be changed in future updates of the forum.1
Yeah, the share is set to change permissions.
Currently i am trying to modify the permission setup to use groups instead of specific users (as you suggested)....but it doesn't work, it's so exhausting.
I have created a local group (Group A), added User X to it, replaced all User X entries with Group A in all permission dialogs accordingly and now...User X cannot access the share anymore. When i revert these changes and replace all Group A entries with User X again then it works like before.
What might be causing this? I suspect the local group. Maybe it cannot be used in connection with shares?
Currently i am trying to modify the permission setup to use groups instead of specific users (as you suggested)....but it doesn't work, it's so exhausting.
I have created a local group (Group A), added User X to it, replaced all User X entries with Group A in all permission dialogs accordingly and now...User X cannot access the share anymore. When i revert these changes and replace all Group A entries with User X again then it works like before.
What might be causing this? I suspect the local group. Maybe it cannot be used in connection with shares?
What might be causing this? I suspect the local group.
I suppose you missed to logoff the user, otherwise he does not reflect the group membership changes in his security token!!Maybe it cannot be used in connection with shares?
No, groups can be used , of course.1I suppose you missed to logoff the user
Yes, in the meantime i found a MSDN link hinting to a logout when using groups. I also forgot to enable ABE - godzilla facepalm. It works now, yay. I award you the name lifesaver, thanks for your effort.
Never mind
For the sake of completeness, please mark the thread as solved. Thank you.
jodel
For the sake of completeness, please mark the thread as solved. Thank you.
jodel
