Restrict access to a nested shared folder in Server 2008R2 file share

Question

Server 2008 R2 VM as a member server set up as a file server.

Situation: We have a contractor that needs read access to a nested folder in a shared directory in a domain environment. How do I go about allowing that user access to files in a share directory while removing traverse rights?

Why do you want to remove traverse directory rights? If they don't have list contents or read, it doesn't matter... — MDMarra, Feb 05 '14 at 03:17

score 4 · Answer 1 · answered Feb 05 '14 at 06:14

If you want to give access to a subfolder of shared directory, you have two options.

At a minimum, give traverse folder / execute file permissions to the root of the share and all parent folders of the subfolder you wish to grant access to.
- If you wish, you can deny (or not grant) the list folder / read data permissions to other subfolders in the share.
  - We do this for our redirected user My Documents folders, so every user can access \\DFSroot\Users\, but can only see or access \\DFSroot\Users\[their username]\. The value of prohibiting people from even seeing the other folders is questionable, IMO, but it's not that much extra work either.
Create a new share in the subfolder, grant the desired permissions and access it through that new share.

If you really want to deny traverse folder / execute file permissions higher up in the directory tree, you have to use option #2. I would argue that #2 is probably the better option in general, because it's more visible and therefore, more likely to get cleaned up after the fact than a group of ACLs that aren't displayed unless you go looking.

You can do this without Deny by making the traverse ACE for "This folder only" — MDMarra, Feb 05 '14 at 12:23

Restrict access to a nested shared folder in Server 2008R2 file share

1 Answers1