0

I have a domain running on a virtual windows server 2012 R2. Another virtual servers hosts our file server. To that end I need a shared folder accessible by all domain users. No problem there. However I would now like to restrict the access to the subfolders, and if possible not list those folders if they do not have access to them. In those subfolders they are allowed to do anything they like.

Let me illustrate this: We have domain users Alice and Bob, shared folder Z: with subfolders K, L, M.

Alice has access to K and L.

Bob has access to L and M.

Both should have be able to open Z. Alice sees folders K and L, whereas Bob sees folders L and M.

If Alice creates something in L, Bob can remove or modify it.

I have been messing around with share access, permissions and access-based enumeration, but so far no combination has got me close to what I need. Any suggestions are welcome. Thanks!

My biggest problem is probably:

How do you give everybody access to the shared folder, but restrict basically all permissions in that folder at the same time (except for viewing the subfolders they should have access to)

Oxidator
  • 126
  • 4
  • Share permissions, NTFS permissions and ABE is all you need. If it's not working then you're not configuring them correctly. – joeqwerty Apr 30 '15 at 00:33
  • Can't argue with that – Oxidator Apr 30 '15 at 00:43
  • You'd need to set up correct group membership and give them the requisite access via file permissions so maybe Read access at the share level, then set the appropriate groups for the users so that they don't have Traverse folder/ list folder etc for the folders you don't want them to access. I'll normally set up some test user accounts, add to the groups and then validate via effective permissions or by testing by logging on as test user to confirm all is as it should be. – Enigman Apr 30 '15 at 01:04

1 Answers1

0

My mistake was to let the default permissions be. I suspect the CREATOR OWNER might have been impeding my progress. If you instead get rid off all the inherited permissions, you will only end up with your current account's permission.

You can leave the share permissions as is (Everyone full access), because the effectual permission is determined by the intersection of share and NTFS.

Make sure that access-based enumeration is enabled so that only accessible files / folders are visible.

Then add the domain users such that they can read and execute.

All that is left to do is to add the appropriate permissions to the subfolders.

Note however that if you remote desktop into the file server and view the shared folder, all folders will be visible, though only those with permission can be accessed, due to the fact that the access-based enumeration only works on shared folders.

Oxidator
  • 126
  • 4