1

My folder is located at D:\folder in a server. Inside the "folder", there are 2 subfolders called "one" and "two".

I would like to set the "one" folder to be read by "A" user only, while the "two" folder to be read by another "B" user only.

However, when I make the "folder" to be a shared folder, I am forced to add somebody for permission, no matter it is the "domain users" or "everyone", they have the "READ" permission, and they can read the content inside the "one" folder or the "two" folder.

How can I avoid this problem?

Update: The cause of this problem is that there was the "CREATOR OWNER" permission of the root folder.

DanEng
  • 36
  • 1
  • 7
  • Use file system permissions. – Gerald Schneider Oct 30 '17 at 13:43
  • @GeraldSchneider Yes, I have already added the permission of the relevant user to each of the folder, but it seems the shared folder permission has overrided those permissions. Am I missing something? – DanEng Oct 30 '17 at 13:48
  • Share permissions don't replace/override filesystem permissions. They are just another permission layer above the file system. If you set permissions for a directory for only a specific user nobody else should be able to read it, even when they have permissions to read the share. – Gerald Schneider Oct 30 '17 at 13:55
  • @GeraldSchneider I understand what you mean. The weird thing is that domain users can indeed read the files inside the "one" or "two" folder! I will do more tests tomorrow, and get back to you soon. – DanEng Oct 30 '17 at 14:06
  • @GeraldSchneider I have found out the cause of this problem. There was the "CREATOR OWNER" permission of the root folder. And this permission caused anyone to have such ability to view the content of the files even though the filesystem permissions had been set! – DanEng Oct 31 '17 at 16:11

1 Answers1

1

This is the most limited implementation

  1. Share permissions: "Authenticated Users", Full
  2. Root folder: Disable inheritancel, "Authenticated Users":Traverse folder / execute file
  3. Folder One: Disable inheritance, Group1:FULL
  4. Folder Two: Disable inheritance, Group2:FULL

Nobody will be able to view the share, but they will be able to directly access their shares.

GROUP 1:

PS C:\WINDOWS\system32> dir \\SERVER\share
dir : Access is denied

PS C:\WINDOWS\system32> dir \\SERVER\share\one
d-----       10/30/2017  11:24 AM                folder

PS C:\WINDOWS\system32> dir \\SERVER\share\two
dir : Access is denied

GROUP 2:

PS C:\WINDOWS\system32> dir \\SERVER\share
dir : Access is denied

PS C:\WINDOWS\system32> dir \\SERVER\share\one
dir : Access is denied

PS C:\WINDOWS\system32> dir \\SERVER\share\two
d-----       10/30/2017  11:25 AM                folder

Edited: Rewrote answer to provide most secure solution.

spacenomyous
  • 1,319
  • 7
  • 15
  • 1
    Why should the root folder to be shared by everyone FULL at the beginning? – DanEng Oct 30 '17 at 14:03
  • It's just an example, it shows even with the most permissive example, the subfolder perms will override. You can set it to whatever you want, as long as the root folder has "List Folders" *if* you want the users to see all the folders in the share. – spacenomyous Oct 30 '17 at 14:18