none
Access based enumeration for a mapped drive

    Question

  • Hello All

    I am trying to map a folder to all the domain users but I want users to not see all the folders inside (access bases enumeration).

    Here's my scenario:

    I basically want to map the parent folder and then individually set up new shares from the File & Storage Services (Server 2012) on all the sub-folders. In this way, every domain user would see the master folder mapped as drive Z and will be only able to see folders they have been given permission for.

    Is this feasible? I am getting a little confused on how to configure this. I have tried setting up both the master folder and the sub folder under shares but that didn't work or perhaps I am doing something wrong.

    Any help would be great!!

    Thanks

    Sajat

    Friday, February 15, 2013 9:05 PM

Answers

  • Hi Sajat,

    No worries at all.

    Could you change the 'List Folder / Read Data' to 'This folder only' from 'This folder, subfolders and files'?

    Also, try to refrain from using Deny permissions. Just use regular 'Allow' permissions, but remove all others (i.e. just allow SYSTEM, Administrators and the specific AD group).

    Please let me know if this helps.

    Regards,

    Stefan Hazenbroek

    • Marked as answer by Sajat Jain Wednesday, February 20, 2013 1:45 PM
    Tuesday, February 19, 2013 9:39 PM

All replies

  • Hi Sajat,

    You only need to share the top-level folder. If you want to configure ABE on the shares, your NTFS permissions should be set accordingly. Your users should have list permissions on the top-level folder and then limit the permissions from there.

    I hope this helps.

    Regards,

    Stefan Hazenbroek


    MCSE:S,MCITP:EA,MCITP:EMA2007,MCITP:EMA2010

    • Proposed as answer by Grégory LUCAND Saturday, February 16, 2013 7:43 AM
    • Unproposed as answer by Sajat Jain Monday, February 18, 2013 4:16 PM
    Saturday, February 16, 2013 12:11 AM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Have a great day!

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

      
    Monday, February 18, 2013 4:26 AM
  • Hello Stefan

    Sorry for the late response (weekend + company's 1st anniversary party).

    I followed your steps and gave the top-level folder list/read permissions. I have attached a screenshot of the same. Then within that folder I removed permissions for all and exclusively denied access to all Domain Admins (screenshot attached). Now I was hoping that ABE would kick in and will not show me that folder but it still does. It's not accessible but still it's listed.

    Am I doing something wrong?

    Regards

    Sajat Jain

    Image 1

    Image 2

    Monday, February 18, 2013 4:43 PM
  • Hi Sajat,

    No worries at all.

    Could you change the 'List Folder / Read Data' to 'This folder only' from 'This folder, subfolders and files'?

    Also, try to refrain from using Deny permissions. Just use regular 'Allow' permissions, but remove all others (i.e. just allow SYSTEM, Administrators and the specific AD group).

    Please let me know if this helps.

    Regards,

    Stefan Hazenbroek

    • Marked as answer by Sajat Jain Wednesday, February 20, 2013 1:45 PM
    Tuesday, February 19, 2013 9:39 PM
  • Thanks a lot Stefan!!
    Wednesday, February 20, 2013 1:46 PM
  • Hey Stefan

    I actually have a follow up question if you don't mind.

    Is it possible to have quotas set on certain folders inside that share?

    My scenario is that within that master share folder I want a common share folder and then individual user folders. I got the permissions and ABE part but now I was wondering if its possible to set like a 5GB user folder quota? Also is there a way to create a template where every user gets 5GB of space in the same folder? I am assuming this won't be possible because from all I know quotas are set on folders and not on users but still I am hoping I don't know all.

    Really appreciate all the help.

    Regards

    Sajat Jain

    Wednesday, February 20, 2013 6:08 PM
  • Hey Stefan

    I am now stuck with a weird problem.

    I just realized that the proposed solution isn't working on other computers, not even for Domain Admins. Basically till now I was testing this out on the hyper-v machines hosted on the same server. Also the machine that's sharing the files is also on a vm on the same server. However just now when I put the drive map policy in place and asked everyone to see if they can see the drive, nothing happened. I also asked them to manually try to connect to the share folder (\\machine-name\shares) but that asked for their credentials which it did not accept. It's not even accepting my credentials. How is this possible?

    Regards

    Sajat Jain

    Thursday, February 21, 2013 6:52 AM
  • Hi there,

    How are you trying to access it? Using the netbios name or the FQDN? Also, how are your share permissions setup?

    On another note, regarding the quota question. Yes, this is possible. I have to say I haven't used it often, but the following article should be able to help you out: http://technet.microsoft.com/en-us/library/cc733029.aspx

    Regards,

    Stefan Hazenbroek

    Thursday, February 21, 2013 7:00 AM
  • Hey Stefan

    I have tried connecting it through the local ip address, by writing the machine name and by using machine-name.domain, but still all the time it asks for my password. Here are the links to the screenshots of my folder permissions, kindly advice.

    http://cloudchowk.com/pics/1.png

    http://cloudchowk.com/pics/2.png

    http://cloudchowk.com/pics/3.png

    http://cloudchowk.com/pics/4.png

    Regards

    Sajat Jain

    Thursday, February 21, 2013 7:15 AM
  • Got it!! There was a setting called "Encrypt Data Access" that I had enabled under Share Settings where the option to enable ABE lies. After turning it off, everything started working which is weird but I will look into it later.

    Regards

    Sajat Jain

    Thursday, February 21, 2013 1:44 PM