locked
restricting a sub folder inside the folder to a couple of users RRS feed

  • Question

  • Hi guys. I have a departmental share that I need to restrict access to a couple of users. I have created a group on Active Directory. And on the file server I removed the inheritance and given access only to the group. But when the users try to access they can't see the folder. What am I maybe missing? Please assist
    • Moved by Santosh Bhandarkar Monday, May 27, 2013 11:42 AM Moved from Directory Services forum
    Monday, May 27, 2013 11:33 AM

Answers

  • Hi,

    General speaking, you should:

    1. Make sure users have permission to access (Read permission) the parent folder of the subfolder. For example if a shared folder named \\server\share, and you are going to share the \\server\share\subfolder to specific user group, make sure they have at least Read permission on "share" folder.

    2. For the \\server\share\subfolder, set Everyone - Full Control in Share permission, and give the specific user at least Read permission. As a test you could firstly give them Full Control just to see if they can access the subfolder.


    TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tnmff@microsoft.com.

    Wednesday, May 29, 2013 2:16 PM

All replies

  • Hi.

    Remember that if you add a user to a group that user wont have that group until he gets a new kerberos ticket.. The easy way ask the user to reboot his computer (new ticket at logon)..=)

    Could you dump the rights on the folders with icacls?
    icacls \\server\share\folder
    icacls \\server\share\folder\subfolder



    Oscar Virot

    Monday, May 27, 2013 12:10 PM
  • If I just need to give access without using ICACLS how do I go about it? I am still using active directory Server 2003 and I'm using active directory groups to assgn permissions to
    Monday, May 27, 2013 1:04 PM
  • Well. You should just be able to remove inheritance and then grant the new group rights on that folder.

    Have you asked a user to reboot?

    I was asking for an Icacls dump so I could see how you have set up the rights right now.


    Oscar Virot

    Monday, May 27, 2013 1:06 PM
  • I have removed permission inheritance from the parent and went into the subfolder and then give access only to a group but then the users in question called saying they can't access the subfolder they can't even see it. But I hadn't changed anything on the share permissions. When I log into the file server ,the files have like a key on it
    Monday, May 27, 2013 1:33 PM
  • If you run the two commands I said earlier we will be able to see exactly which rights have been delegated and help you faster.

    If they cant see the folder, do you have Access Based Enumeration enabled on that share?


    Oscar Virot

    Monday, May 27, 2013 1:39 PM
  • Hi,

    General speaking, you should:

    1. Make sure users have permission to access (Read permission) the parent folder of the subfolder. For example if a shared folder named \\server\share, and you are going to share the \\server\share\subfolder to specific user group, make sure they have at least Read permission on "share" folder.

    2. For the \\server\share\subfolder, set Everyone - Full Control in Share permission, and give the specific user at least Read permission. As a test you could firstly give them Full Control just to see if they can access the subfolder.


    TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tnmff@microsoft.com.

    Wednesday, May 29, 2013 2:16 PM
  • guys sorry for responding late. i have been busy with a DR active directory server that crashed. that issue has not been resolved still. the main folder is called servername\\esibaya which is shared and the sharename is isibaya. this folder everyone in the department has access to, it is the main folder. All the sub folders are sitting  under it. Then there is a subfolder called minutes that has folders inside that is only supposed to be accessed by two users in the department. what i did is i went into the minute subfolder  and right clicked on it  go to properties and on the Sharing button i shared and gave the whole group read permissions and then i went into security under advanced i unticked include inheritable permision from the object's parent and  ticked replace all child object with inheritable permisions from this object. but the user say she cannot see the folder under the Minutes folder it looks empty. what am i doing wrong here?
    Wednesday, June 5, 2013 9:31 AM
  • guys sorry for responding late. i have been busy with a DR active directory server that crashed. that issue has not been resolved still. the main folder is called servername\\esibaya which is shared and the sharename is isibaya. this folder everyone in the department has access to, it is the main folder. All the sub folders are sitting  under it. Then there is a subfolder called minutes that has folders inside that is only supposed to be accessed by two users in the department. what i did is i went into the minute subfolder  and right clicked on it  go to properties and on the Sharing button i shared and gave the whole group read permissions and then i went into security under advanced i unticked include inheritable permision from the object's parent and  ticked replace all child object with inheritable permisions from this object. but the user say she cannot see the folder under the Minutes folder it looks empty. what am i doing wrong here?
    It sounds like her permissions are set to "this folder only".  Change it to "this folder and all sub-folders".
    Wednesday, June 5, 2013 8:29 PM
  • to be honest it is set to apply to this folder,subfolders and files. i really dont know why they are hidden
    Thursday, June 6, 2013 12:53 PM
  • to be honest it is set to apply to this folder,subfolders and files. i really dont know why they are hidden

    This is what I would do:

    - first, just as one other person recommended, always set the share permissions to FULL.  I use Authenticated Users, but you can use Everyone.  Don't try to control folder security at the share level.  You'll only create problems for yourself.  Always set it to FULL.

    - At the \\esibaya level, set the NTFS security to Modify or Full (your preference) for the users/groups that can see all the way down into the sub-folder structure.

    - for the users with limited access, at the \\esibaya leveal, give them:  Traverse folder, List Folder, Read attributes, Read extended attributes and Read Permissions.  Set it to This folder and Sub-folders.

    - at that point the restricted two users should be able to see all folder levels

    - in the Minutes folder, go to Security Tab> Advanced > Change Permissions button > uncheck include Inheritable Permissions and then choose Add.  Then remove users that are not supposed to have access to that.  And change for the two that can, from Traverse to Modify, and set it to This folder and Sub-folders.

    Thursday, June 6, 2013 2:23 PM