4

Firstly apologies if some of my terminology is off, I'm pretty new to Windows networking and Active Directory.

We're running a Windows Server 2008R2 fileserver and I've been tasked with restructuring one of our network shares. The share by default is to be accessible by all authenticated users, with a few folders (e.g. \\share\manager_1, \\share\manager_2) to be restricted to just certain people (manager_1 and manager_2). I also want those folders to not be visible to users who do not have access to them - Access Based Enumeration has worked wonders for this. So far so good.

Now the issue arises when a manager wishes to create a sub-folder within their own folder (\\share\manager_1\sub_folder_1) and share this folder with another user. We've given the managers the ability to set their own permissions on folders within the managers own folder, so manager_1 can giver user_1 access to \\share\manager_1\sub_folder_1, HOWEVER in this scenario:

  1. user_1 cannot navigate down the share directory tree to \\share\manager_1\sub_folder_1 because the 'list folders' permission isn't automatically granted for them on \\share\manager_1 - so Access Based Enumeration hides the manager_1 folder from them.

  2. Even with with 'traverse folders' permission user_1 cannot directly go to the \\share\manager_1\sub_folder_1 UNC path, ABE takes precedence over 'traverse folders'.

Really I want a way to get ABE working but with 'reverse permission' propagation of the 'list folders' permission - such that in the above scenario, user_1 would be able to drill down the directory tree to sub_folder_1 BUT not be able to see any of the contents of the manager_1 folder (bar obviously sub_folder_1 itself).

Having spent a good few hours trying to work out how to do this my understanding is there is a feature called 'Dynamic Inheritance' in Novell's equivalent to Active Directory that does exactly this. Is there any way I can achieve this in a Windows based environment?

Any help much appreciated.

SamErde
  • 3,409
  • 3
  • 24
  • 44
lankyfish
  • 41
  • 3
  • The short answer to your question about "dynamic reverse inheritance" is no. Would you be willing to accept any compromise as an answer? – SamErde Jul 08 '16 at 17:24
  • That is a shame, but yes I certainly would like to hear about a compromise answer please. – lankyfish Jul 08 '16 at 17:49

1 Answers1

2

I recently was and still am in your shoes.

You don't only need the list folder permission.

You will need 

Travese Folder 

List Folder 

Read attributes 

Read extended attributes 

Read permissions

see here.

Unfortunately there is no Windows equivalent to the functionality that Novell offers.

Additionally letting users manage permissions is not a good idea for some reasons.

First it will be an auditing nightmare. Neither you nor your the manager will trace and know who has access to which directory.

Second at the end of the day your IT/Help desk will have to support the managers troubleshooting some borked ACL/ACE.

In our org we create for each folder 3 permissive groups via PowerShell script and add them to the folder ACL. We then add users who need access to those resources to the respective AD groups to grant access.

Maybe following link (my thread on same topic) gives you some inspiration.

Fileserver and ABE

Community
  • 1
humble.adm1n
  • 151
  • 7