1

I have a Windows server and so far shared a folder D:\AAA as "ShareRW" with full share permissions ("Everyone - Full") and some stricter NTFS permissions as required on and below that folder; for example, UserX has full access to D:\AAA\BBB, read access to D:\AAA\CCC and cannot even see D:\AAA\DDD (because it has inheritance disabled and explicit rights only to other users). I checked on the server that the effective rights of UserX are indeed as desired.

Now I wanted to add the option to "mount -r" the same content and therefore created a second share with a different name "ShareRO" on the same folder and with only "Everyone - Read" permissions (and of course with the same old NTFS permisssions).

Now my UserX does both NET USE W: \\server\ShareRW and NET USE R: \\server\ShareRO. I expected R: to look the same as W:, except that writing/changing is not allowed. But reality begged to differ:

  • The user can change stuff in W:\BBB, they can read stuff in W:\CCC, and they do not even see that W:\DDD exists
  • The user can read stuff in R:\BBB, they can read stuff in R:\CCC, but they see that R:\DDD exists and some metadata (size, creation date) though they cannot open it.

What am I doing wrong here?

Hagen von Eitzen
  • 824
  • 3
  • 17
  • 43

1 Answers1

3

You miss the setting "Enable access-based enumeration" on the second share properties. It's a per-share settings.

See that as an example;

enter image description here

yagmoth555
  • 16,758
  • 4
  • 29
  • 50