Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NTFS Permissions across Parent/Sub-folders

Status
Not open for further replies.

spelk

IS-IT--Management
Oct 16, 2008
21
GB
We want a limited number of users to have full access to a sub-folder to the parent, but we don't want them to have any access to the parent folder, other than to see it and traverse it to the sub-folder.

eg.

PROJ
PROJ/Data
PROJ/Docs

We have a group with full access to PROJ
But we want another group to have only Full Access to PROJ/Docs and not to anything in PROJ/Data nor inside of PROJ itself.

I believe we have Access Based Enumeration installed on our W2003 server, and thus the limited group can't see the PROJ directory to traverse it!

The only way I can think of tackling this is to remove inheritance from the tree altogether and assign specific permissions at each sub-folder level. Giving the limited group read only rights on PROJ. But this doesn't get around the fact that they'll be able to see anything in PROJ!

If anyone has any other suggestions as to how to configure the NTFS Permissions for this scenario, I would love to hear them.

Thanks
 
After some experimentation, heres what I found

If I set the Limited group the following access at the parent folder PROJ

Traverse Folder/ Execute File
List Folder / Read Data
Read Attributes
Read Extended Attributes
Read Permissions

And make sure the scope only applies to the Folder Only

Then the users can see PROJ, can't see any files in it, nor the sub-folder Data, but can see the sub-folder Docs. And with Full Access set on Docs means they can see, read and edit files in that sub-folder.

However, if the nesting was deeper

PROJ\WORK\FILES\Docs

I'd have to set the above permissions to each subsequent sub-folder, scoped to Folder Only, prior to Docs to be able to gain access to the Docs folder and files.

I'm sure there has to be a better way to confer this. Anyone have any suggestions?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top