w2k hiding folders to users with no access

[Boydsta]

I am wanting to hide sub folders for people who do not have access etc, at the moment all I can work out is it lists the folder but does not let you in.
I do not want the denied people to be able to see that it exists at all.

cheers
Boyd
bbenton@trammellcrowsavills.com

 

[ntnet]

Share the folder ending with a dollar sign... as in users$
This will hide the folder from the network (including to you). You will have to map the folders as network drives for users to have access. S. Gagner
MIS
A+ MCP

 

[Guest_imported]

Mapping that many network folders is a big strain on your network. You don't want to do it that way.

 

[Giantmoon]

Try using group policies to control what the users can see/have access to.

 

[joeym]

Very easy. If you are using W2K active directory, great a group policy that sets permissions on the folder you wish to share. Then create an OU for the group you want to have access to the folder. Next drop the users with permissions to access the folder in that OU. When you create the policy be sure to select that you enable the option to hide the folder and deny options. That should work.

Joe M.
MCP, MCSA, MCSE

 

[Guest_imported]

I also need to hide folders to those people that don't have access to them.

joeym, I am not clear on how you set permissions on folders using group policy. Can you give a pointer to where I should look inside the group policy for this capability?

Thanks

Steve A.

 

[Guest_imported]

Ok, I figured out where to add the permissions, but none of the permission mention anything about hiding the folder.

Am I missing something obvious?

Steve A.

 

[Guest_imported]

Ok, I denied every permission to everyone, accept administrators, and still the folders are visible to general users.

Any additional help would be appreciated.

 

[Guest_imported]

Here is Microsoft Knowledgebase article Q303758

You Cannot Configure NTFS Permissions to Hide Files or Folders from Unauthorized Users

The information in this article applies to:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Server
Microsoft Windows 2000 Professional
Microsoft Windows NT Server 4.0
Microsoft Windows NT Workstation 4.0

Summary
Novell NetWare administrators can configure permissions so that users cannot see files or folders in the file system for which the users do not have Read access by removing the File Scan (F) permission. This type of access control is not supported by the NTFS file system. Therefore, users can view the contents of any folder for which the user has the List permission. Removing the List permission for the folder prevents the user from gaining access to any file in the folder.
More Information
Returning a list of files and folders based on file permissions would require a full access check on every object in the directory. In the Windows NT and Windows 2000 distributed security model, this would use up a lot of CPU cycles and service request time. If you had more than a certain number of objects and a very complex Access Control List (ACL) structure, the Server Message Block (SMB) request might time out.

The List Folder Contents permission may be useful because it allows users to list the contents of a folder without having permission to read the files. If you assign the Read Data permission on the contents of a folder without the List Folder Contents permission on the folder itself, users receive an "Access Denied" error message in Windows Explorer or at a command prompt. Windows Explorer and the command prompt attempt to gain access to the folder before gaining access to the files that are located in the folder.

Table 12.7 on page 657 of the "Internetworking Guide" in the Windows 2000 Resource Kit contains a comparison of NetWare permissions and NTFS permissions. This table compares the File Scan (F) permission to the List Folder Contents permission. The comparison in this table is inaccurate (as described in this article).

There are currently no plans to include this functionality in Windows.

 

[countludwig]

I have the same issue on my network, with my
boss hounding me to dump netware and move to w2k.
as far as I'm concerned, it's just business as usual
for micro$oft. their sh*t still stinks.
I'm looking at 300+ users plus about 60 to 80 user groups.
that translates to just about as many shares and "if then"
statements in a login script. They really have no business
being in the networking world.