How to make sure a user or group can't view a folder 1

[Raziel014]

Hi! I have a root share where all the users store their homefolders. Now, I wan't SOME users to have access to some of the folder, but I don't want the users to be able to even see the folder they don't have access to.

This can be done in Novell, but how can you do it in 2003 Server?

 

[Teknoratti]

You can append the share name with a $ sign at the end and create a group with the people you want to have access, then assign them permissions appropriately.

 

[Raziel014]

But putting a $ at the end of the folder name would hide the folders right? So you're saying that if all folders are hidden and I log on with a user with access to the folder ,then the folders should appear? I'll try this now!

 

[Raziel014]

Nope, didn't work. I couldn't even get the folders to be hidden by using the $!
It IS SHARE NAME you're talking about right? Like if I have a folder that's already shared and right-click it and type an $ behind the last letter in the share, the folder should be hidden. But it wasn't. I even tried to log on with my own user after having blocked all access to the folder to my user. I couldn't open the folder. But I did see it. Even if "show hidden files and folders" were off.

 

[ntinlin]

This should be doable with standard NTFS if I recall correctly. Just make sure the list folders contents attribute isn't allowed at the top level. Then they should only see the folders they have access to.

Neill

 

[Raziel014]

Yeah, it doesn't work. You see, have this structure of the folders:

There's a root folder called "public". This folder's got two other folders called "employees" and "students"

We just tried all this. My partner's got access to most of the folders. His username's got full control over the folders.
When I removed the list folder contents from his group while he was in the "students" folder, it all dissapeared. Although he's got full control over the folders.

But I noticed that the "list folder" attribute actually is called "list folder / read data"

So this seems to mean that removing this removes both the visibility of the folder AND the reading of them. Which I don't want.

 

[Teknoratti]

Raziel014,

If they have access to the folder they will be able to see it. Appending the $ sign at the end of a share name prevents it from being seen in a browse list.

 

[Raziel014]

But the main problem is that the users home folder aren't shares. Only the root folder where these folders are stored is a share.

Can I put the $ in the end of any folder? Cause I can't even get this to work.

 

[ntinlin]

Will need to think further Raziel.

You could do as Teknoratti is suggesting but at a lower level.

For instance my users have their home share mapped to \\server\user$ with appropriate permissions.

Where user$ path is \\server\e$\users\username

Thus they wouldn't see any folders but their own since they are going in at the root of a share.

If you as an admin want to see all folders you could share \\server\e$\users as users$ which would not appear in their browse list as teknoratti says.

Obviously this is a lot more work to set up initially but I made up a batch file in the NT days which still works to do it for me when I add a new user. It creates folder, sets perms, makes share and updates AD profile to point to new home share.

Only non-standard bit of it is a little util that can change the profile to use U: rather than H: as home drive.

Neill

 

[Teknoratti]

Lets start again.

You have a root folder called "Public" where users store their home folders. This "Public" folder contains two additional folders called "Employees", and "Students"

The "Public" folder which is the parent folder is a share, but no child folders are shares. They have NTFS permissions set on them, correct?

And you want users to see only the folders they have access to, correct?

 

[Teknoratti]

I'm trying to re-create the scenario.

First I blocked Inheritance from the top. I started with the permissions on the root share "Public"

I set the share permission to include everyone read permissions. that way everyone can at least read the folder contents. But thats where it gets tricky, b/c you want a user only to see their particular folder once they go inside the "Public" folder, am I right.

See where it gets interesting? With the read permission comes the ability to see the contents of the folder. You cant have one without the other. Unless if you dont specify the everyone group in the share permissions, then set NTFS permissions on the folder, then in which case I think the effective permissions between the two apply, so if thats the case then the users wont be able to get in.

This is actually good excercise.

 

[wcburton]

The only product I know of that allows you to hide folders from being seen like you could in Novell is WinCloak from scriptlogic.com. You license it on a per server basis. It works well - I use it.

I am not sure why you want users to be able to see home folders other than their own. But if you really need to, then WinCloak is the way to go.

 

[Teknoratti]

wcburton,

Im sure you mean, you're not sure why you want users to not be able to see home folders other than their own.

 

[Daveyd123]

Access Based Enumeration

http://www.microsoft.com/downloads/...D9-78D9-4342-A485-B030AC442084&displaylang=en

 

[Raziel014]

Yeah! Access Based Enumeration works! Much better than setting NTFS permissions which I don't like at all. But this fixed it!

So the reason I wanted this is that the teachers here at the school want permissions to read their students folders. So I mapped the root folder to their group with a script. But when they clicked on the mapped folder, they got all the students folders listed (which are a lot of folders)

With this, everything is great!

 

[wcburton]

daveyd123-

Thanks for the link! I will add that to my toolbox for sure.

 

[Daveyd123]

No problem. I use it on my Network and love it.