Give exclusive AD access to Mapped Drive via GPO

Question

I want to know how to provide a user with exclusive access to a folder, but not other folders. The folder root is located here:

DC1\\UserFolders\%username%

I use a GPO to map that user's folder. But the problem is that it only maps if the user has access to the root folder. The problem with that is, they can get nosy and navigate to other user's folders.

I am looking for help on a script that would allow me to make that users folder exclusive to that person only. And the ability to see other folders impossible.

Below is what I have tried (added to the startup script):

icacls D:\UserFolder /inheritance:d
icacls D:\UserFolder\%username% /grant "%username%":(m)

But it doesn't seem to do anything. What am I doing wrong, and is there a better script to run for this?

Answer 1

There are two ways I can think of to tackle this:

1. Granting the Authenticated Users group (or any other group of which all the users are members) the "Traverse Folder" NTFS permission on the parent folder only, making sure to disable permissions inheritance on the child folders and then enabling Access Based Enumeration on the Share. Make sure to grant the appropriate NTFS permissions to each child folder for each respective user.

2. Granting the users the appropriate NTFS permissions to their folder only and removing all NTFS permissions for Authenticated Users (or any other group of which all the users are members) from the parent folder. The built-in "bypass traverse checking" user right will allow the drive to be mapped for the user, but the user will otherwise have no permissions on the parent folder or any of the child folders.