Hiding files/folder shares from users
-
I have a new staff member joining next week. We'd like to give him access to one particular share on the server. However when he browses the shares, I dont want any other files/folders to be visible (although he'll locked out via permissions). Is there a way we can ONLY let him see the share he needs and doesnt see anything else?
-
@joel said in Hiding files/folder shares from users:
I have a new staff member joining next week. We'd like to give him access to one particular share on the server. However when he browses the shares, I dont want any other files/folders to be visible (although he'll locked out via permissions). Is there a way we can ONLY let him see the share he needs and doesnt see anything else?
If your file server is on a Windows box (2008 and up), you can enable access based enumeration.
Instructions at this link are for 2012: http://blog.jocha.se/tech/enable-access-based-enumeration-in-windows-server-2012
-
Also take a look at your NTFS permissions.
-
@black3dynamite said in Hiding files/folder shares from users:
Also take a look at your NTFS permissions.
I thought ABE was based on NTFS permissions?
-
@dashrender said in Hiding files/folder shares from users:
@black3dynamite said in Hiding files/folder shares from users:
Also take a look at your NTFS permissions.
I thought ABE was based on NTFS permissions?
I believe its only for shares.
-
@black3dynamite said in Hiding files/folder shares from users:
@dashrender said in Hiding files/folder shares from users:
@black3dynamite said in Hiding files/folder shares from users:
Also take a look at your NTFS permissions.
I thought ABE was based on NTFS permissions?
I believe its only for shares.
If I understand the OP, that's what he's looking for.
-
@black3dynamite said in Hiding files/folder shares from users:
@dashrender said in Hiding files/folder shares from users:
@black3dynamite said in Hiding files/folder shares from users:
Also take a look at your NTFS permissions.
I thought ABE was based on NTFS permissions?
I believe its only for shares.
I think you are correct, but the share permissions is for the entire drive mapping/UNC usage. The NTFS permissions are what actually determine the ABE settings and what the user sees.
-
@dashrender said in Hiding files/folder shares from users:
@black3dynamite said in Hiding files/folder shares from users:
@dashrender said in Hiding files/folder shares from users:
@black3dynamite said in Hiding files/folder shares from users:
Also take a look at your NTFS permissions.
I thought ABE was based on NTFS permissions?
I believe its only for shares.
I think you are correct, but the share permissions is for the entire drive mapping/UNC usage. The NTFS permissions are what actually determine the ABE settings and what the user sees.
This is correct. Share permissions are generally Everyone and NTFS are fine-tuned based on who needs what access. We set this up a couple of years ago and it has been very convenient for our users.
-
@zachary715 said in Hiding files/folder shares from users:
@dashrender said in Hiding files/folder shares from users:
@black3dynamite said in Hiding files/folder shares from users:
@dashrender said in Hiding files/folder shares from users:
@black3dynamite said in Hiding files/folder shares from users:
Also take a look at your NTFS permissions.
I thought ABE was based on NTFS permissions?
I believe its only for shares.
I think you are correct, but the share permissions is for the entire drive mapping/UNC usage. The NTFS permissions are what actually determine the ABE settings and what the user sees.
This is correct. Share permissions are generally Everyone and NTFS are fine-tuned based on who needs what access. We set this up a couple of years ago and it has been very convenient for our users.
This is what we do as well. Works amazingly well for managing permissions.
-
This post is deleted! -
@zachary715 said in Hiding files/folder shares from users:
@dashrender said in Hiding files/folder shares from users:
@black3dynamite said in Hiding files/folder shares from users:
@dashrender said in Hiding files/folder shares from users:
@black3dynamite said in Hiding files/folder shares from users:
Also take a look at your NTFS permissions.
I thought ABE was based on NTFS permissions?
I believe its only for shares.
I think you are correct, but the share permissions is for the entire drive mapping/UNC usage. The NTFS permissions are what actually determine the ABE settings and what the user sees.
This is correct. Share permissions are generally Everyone and NTFS are fine-tuned based on who needs what access. We set this up a couple of years ago and it has been very convenient for our users.
We also do the same thing too. And then we use role-based permissions to make managing permissions easier.
-
@black3dynamite said in Hiding files/folder shares from users:
@zachary715 said in Hiding files/folder shares from users:
@dashrender said in Hiding files/folder shares from users:
@black3dynamite said in Hiding files/folder shares from users:
@dashrender said in Hiding files/folder shares from users:
@black3dynamite said in Hiding files/folder shares from users:
Also take a look at your NTFS permissions.
I thought ABE was based on NTFS permissions?
I believe its only for shares.
I think you are correct, but the share permissions is for the entire drive mapping/UNC usage. The NTFS permissions are what actually determine the ABE settings and what the user sees.
This is correct. Share permissions are generally Everyone and NTFS are fine-tuned based on who needs what access. We set this up a couple of years ago and it has been very convenient for our users.
We also do the same thing too. And then we use role-based permissions to make managing permissions easier.
Yes you definitely want to assign these permissions based on groups and not individual users everywhere possible. Put users into groups, assign NTFS based on those groups. Move users around, in, out, whatever and don't have to change too many permissions.
-
I do have it setup with NTFS permissions, users are added into groups but it doesnt seem to work.
For example.We have Data (E:)
Within E: we have the following paths
E:\Folder1 (group1 share permissions applied)
E:\Folder2 (group2 share permissions applied)
E:\Folder3 (group3 share permissions applied)
E:\Folder4 (group4 share permissions applied)We only want members of group4 to only see Folder4 when they browse to the server \appserver
We are using 2012r2 and ABE is enabled.Still no joy
-
@joel There's a piece missing then. Are you applying ABE on each individual folder, or are you doing it at the top level?
We have it setup such as we have two shares...
D:\Share 1
D:\Share 2ABE is applied to both of these shares. Share permissions are Everyone - Full Control. NTFS is Admin - Full and Users - Read Only. We have run into issues where users accidentally moved a subfolder or added a file at this level. We're small enough that I can manage these so I set it to read-only so people can't accidentally delete a subfolder.
The majority of our users use D:\Share 1\Subfolder. So we might have for instance...
D:\Share 1\Accounting
D:\Share 1\Purchasing
D:\Share 1\Sales
D:\Share 1\IT DeptSo at this point, I'll go in and set the NTFS permissions on each of these subfolders for who should be able to view and access these shares. I'm only applying ABE on the shares themselves at the top level and then setting specific NTFS on the subfolders. So now when salespeople access the share, they only see D:\Share 1\Sales and nothing else.
Hopefully this helps.
-
I have ABE setup the same as you - on each folder share.
Our share permissions are specific in that only the Group has full control (and admin)E:\Folder1 (group1 AND domain admin has full control)
E:\Folder2 (group2 AND domain admin has full control)
E:\Folder3 (group3 AND domain admin has full control)
E:\Folder4 (group4 AND domain admin has full control)Does our server need a reboot perhaps for the permissions to kick in? Can I force them or should it happen immediately?
-
@zachary715 said in Hiding files/folder shares from users:
@joel There's a piece missing then. Are you applying ABE on each individual folder, or are you doing it at the top level?
We have it setup such as we have two shares...
D:\Share 1
D:\Share 2ABE is applied to both of these shares. Share permissions are Everyone - Full Control. NTFS is Admin - Full and Users - Read Only. We have run into issues where users accidentally moved a subfolder or added a file at this level. We're small enough that I can manage these so I set it to read-only so people can't accidentally delete a subfolder.
The majority of our users use D:\Share 1\Subfolder. So we might have for instance...
D:\Share 1\Accounting
D:\Share 1\Purchasing
D:\Share 1\Sales
D:\Share 1\IT DeptSo at this point, I'll go in and set the NTFS permissions on each of these subfolders for who should be able to view and access these shares. I'm only applying ABE on the shares themselves at the top level and then setting specific NTFS on the subfolders. So now when salespeople access the share, they only see D:\Share 1\Sales and nothing else.
Hopefully this helps.
Do you have users read only set to āThis folderā?
-
@joel said in Hiding files/folder shares from users:
I have ABE setup the same as you - on each folder share.
Our share permissions are specific in that only the Group has full control (and admin)E:\Folder1 (group1 AND domain admin has full control)
E:\Folder2 (group2 AND domain admin has full control)
E:\Folder3 (group3 AND domain admin has full control)
E:\Folder4 (group4 AND domain admin has full control)Does our server need a reboot perhaps for the permissions to kick in? Can I force them or should it happen immediately?
It sounds to me like you don't have that extra level above Folder 1, Folder 2, etc like I have so you're having to enable ABE on each individual folder. I'm honestly not sure if that's how it's supposed to work or if ABE applies to everything BENEATH the folder you enable it on.
For instance, you might need to actually just enable ABE on your E:\ drive, or insert a folder between E and your other folders (eg E:\SHARE\Folder 1, Folder 2, etc.). Not absolutely sure you need this, I just know it is how it works for us.
But yes try a reboot and see. I don't remember having to but it is Windows....
-
@black3dynamite said in Hiding files/folder shares from users:
@zachary715 said in Hiding files/folder shares from users:
@joel There's a piece missing then. Are you applying ABE on each individual folder, or are you doing it at the top level?
We have it setup such as we have two shares...
D:\Share 1
D:\Share 2ABE is applied to both of these shares. Share permissions are Everyone - Full Control. NTFS is Admin - Full and Users - Read Only. We have run into issues where users accidentally moved a subfolder or added a file at this level. We're small enough that I can manage these so I set it to read-only so people can't accidentally delete a subfolder.
The majority of our users use D:\Share 1\Subfolder. So we might have for instance...
D:\Share 1\Accounting
D:\Share 1\Purchasing
D:\Share 1\Sales
D:\Share 1\IT DeptSo at this point, I'll go in and set the NTFS permissions on each of these subfolders for who should be able to view and access these shares. I'm only applying ABE on the shares themselves at the top level and then setting specific NTFS on the subfolders. So now when salespeople access the share, they only see D:\Share 1\Sales and nothing else.
Hopefully this helps.
Do you have users read only set to āThis folderā?
Since you quoted me I'm assuming this question was directed at me, but I'm not following exactly what you're asking.
-
@zachary715 said in Hiding files/folder shares from users:
@black3dynamite said in Hiding files/folder shares from users:
@zachary715 said in Hiding files/folder shares from users:
@joel There's a piece missing then. Are you applying ABE on each individual folder, or are you doing it at the top level?
We have it setup such as we have two shares...
D:\Share 1
D:\Share 2ABE is applied to both of these shares. Share permissions are Everyone - Full Control. NTFS is Admin - Full and Users - Read Only. We have run into issues where users accidentally moved a subfolder or added a file at this level. We're small enough that I can manage these so I set it to read-only so people can't accidentally delete a subfolder.
The majority of our users use D:\Share 1\Subfolder. So we might have for instance...
D:\Share 1\Accounting
D:\Share 1\Purchasing
D:\Share 1\Sales
D:\Share 1\IT DeptSo at this point, I'll go in and set the NTFS permissions on each of these subfolders for who should be able to view and access these shares. I'm only applying ABE on the shares themselves at the top level and then setting specific NTFS on the subfolders. So now when salespeople access the share, they only see D:\Share 1\Sales and nothing else.
Hopefully this helps.
Do you have users read only set to āThis folderā?
Since you quoted me I'm assuming this question was directed at me, but I'm not following exactly what you're asking.
On your Share1 and Share2 folder, do you have the Read Only Users permissions applied to "This folder only"? So that you can set the NTFS permissions on each of those subfolders who should be able to view and access those shares.
Because I think that could be the issue @Joel is having issue with.
-
@black3dynamite said in Hiding files/folder shares from users:
@zachary715 said in Hiding files/folder shares from users:
@black3dynamite said in Hiding files/folder shares from users:
@zachary715 said in Hiding files/folder shares from users:
@joel There's a piece missing then. Are you applying ABE on each individual folder, or are you doing it at the top level?
We have it setup such as we have two shares...
D:\Share 1
D:\Share 2ABE is applied to both of these shares. Share permissions are Everyone - Full Control. NTFS is Admin - Full and Users - Read Only. We have run into issues where users accidentally moved a subfolder or added a file at this level. We're small enough that I can manage these so I set it to read-only so people can't accidentally delete a subfolder.
The majority of our users use D:\Share 1\Subfolder. So we might have for instance...
D:\Share 1\Accounting
D:\Share 1\Purchasing
D:\Share 1\Sales
D:\Share 1\IT DeptSo at this point, I'll go in and set the NTFS permissions on each of these subfolders for who should be able to view and access these shares. I'm only applying ABE on the shares themselves at the top level and then setting specific NTFS on the subfolders. So now when salespeople access the share, they only see D:\Share 1\Sales and nothing else.
Hopefully this helps.
Do you have users read only set to āThis folderā?
Since you quoted me I'm assuming this question was directed at me, but I'm not following exactly what you're asking.
On your Share1 and Share2 folder, do you have the Read Only Users permissions applied to "This folder only"? So that you can set the NTFS permissions on each of those subfolders who should be able to view and access those shares.
Because I think that could be the issue @Joel is having issue with.
Oh yes I do. If @Joel has Domain/Users group set to Read-Only on all of his shares, then obviously it will not hide them as he expects it to. He'll need to remove this default NTFS permissions and explicitly set only those who actually need read or write permissions. Even if a user has read-only permissions, then clearly they will have access.
Most of the time I go to the underlying shares (D:\Share 1\IT Dept) and on the Security tab under Advanced, I'll say "Change Permissions..." and then uncheck the box that says "Include inheritable permissions from this object's parent". I'll then select to Copy the permissions so it leaves everything that was there and manually remove what I don't want.