none
Create shared folder with access to specific users RRS feed

  • Question

  • My company uses windows server 2012 without active directory. On the server's C drive we have a folder named "Shared Space". Inside this folder there are various subfolders for different departments, e.g Marketing Folder, Management folder, Procurement folder etc. 

    We want users to be able to access all folders except some folders, like "Management folder". If they try to access it then we want the system to ask a username and password. What is the simplest way to achieve this?
     

    Tuesday, September 24, 2019 2:04 PM

Answers

  • And we can not make it work.

    No one can help you if you do not tell us the details of what specifically "does not work". 

    Your reply is hard to read. Please edit it and remove the HTML markup.

    You need to tell us more about the user accounts and the share and folder permissions.  For starters, I do not recommend creating a share with spaces in the name. It's easier for users if you call it "SharedSpace" or "SharedData" or just "Data". 

    Since you are not using Active Directory, then you need to define local accounts with the same name and  password on both the server and on the workstation where the user logs in. Have you set up the accounts that way?

    What share permission have you defined? Open an admin command prompt and run the net share command. Copy and paste the results. Here is an example where I query the Utils share on my test VM.

    C:\WINDOWS\system32>net share utils
    Share name        Utils
    Path              C:\Utils
    Remark
    Maximum users     No limit
    Users
    Caching           Manual caching of documents
    Permission        Everyone, FULL

    The command completed successfully.

    Next we need to examine the permissions the folder. My Utils share points to C:\Utils.

    C:\WINDOWS\system32>icacls C:\utils
    C:\utils BUILTIN\Users:(OI)(CI)(F)
             BUILTIN\Administrators:(I)(OI)(CI)(F)
             NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
             BUILTIN\Users:(I)(OI)(CI)(RX)
             NT AUTHORITY\Authenticated Users:(I)(M)
             NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
    Successfully processed 1 files; Failed processing 0 files

    To verify that your clients can connect to the server, open a Powershell window on a client. Run these 2 commands. Replace 'test10b' with your server name.


    PS C:\> Test-NetConnection -ComputerName test10b -CommonTCPPort smb
    ComputerName     : test10b
    RemoteAddress    : 192.168.1.7
    RemotePort       : 445
    InterfaceAlias   : Wi-Fi
    SourceAddress    : 192.168.1.2
    TcpTestSucceeded : True

    PS C:\> net view test10b   
    Shared resources at test10b

    Share name     Type  Used as  Comment
    -------------------------------------------------------------------------------
    AdvancedShare  Disk
    SimpleShare    Disk
    Snafu          Disk
    Utils          Disk
    The command completed successfully.


    • Edited by MotoX80 Wednesday, October 16, 2019 5:03 PM
    • Marked as answer by dfalireas Sunday, October 27, 2019 6:08 PM
    Wednesday, October 16, 2019 4:55 PM

All replies

  • Hi,

    Thanks for your question.

    Yes, you could do this implementation as you want. We could share the parent folder “Shared Space” to everyone. then “disable inheritance” for the subfolders. Then we can share the subfolder to specific users and group.

    Since we didn’t include AD, simply share to local users and group who use credentials to access.

    We can refer to the following docs,

    How To Share Files and Folders over a Network for Workgroups

    https://support.microsoft.com/en-sg/help/323420/how-to-share-files-folders-over-a-network-for-workgroups-in-windows

    How to Give Permissions to a Shared Drive

    https://www.techwalla.com/articles/how-to-give-permissions-to-a-shared-drive

    How to manage shared folder permissions

    https://help.dropbox.com/files-folders/share/set-folder-permissions

    Hope above information can help you.

    Highly appreciate your effort and time. If you have any question or concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, September 25, 2019 2:43 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, September 26, 2019 8:39 AM
    Moderator
  • Michael hi,

    thank you for your prompt and excellent reply. Unfortunately I am out of the office and I was not able to put your instructions to use, yet. I will do so the coming Wednesday, 2 October.

    Best regards,
    Dionisis

    Thursday, September 26, 2019 1:41 PM
  • Hi,

    How are things going on?

    Please feel free to let me know if you need further assistance.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, October 8, 2019 10:39 AM
    Moderator
  • Michael hi again,

    and please <g class="gr_ gr_21 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="21" id="21">fogrive</g> my delayed answer. We are facing the following problem <g class="gr_ gr_24 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="24" id="24">in</g> the solution you proposed.  The solution works INSIDE the server. For example, when a user is logged on to the server, he can create a folder and restrict access as you say. Then, if another user logs in the server then he will be prompted to enter credentials.

    But that is not exactly what we want. We want the users to be allowed (or denied access) when they try to access the shared folder from their LAN <g class="gr_ gr_23 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="23" id="23">PC's</g>. And we can not make it work. Although we followed the instructions, we have not managed this to work. We will keep trying to achieve this, however, please advise us, in case you can.

    I can give you access to with <g class="gr_ gr_20 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="20" id="20">anydesk</g>, in case you want to help us any further, or please advise further -if possible- on the issue. As I said, we can not make it work.

    Best regards,

    Dionisis Falireas
    Friday, October 11, 2019 2:24 PM
  • Michael hi,

    whenever it is possible please respond to my latest email

    Best regards,

    Dionisis Falireas
    Wednesday, October 16, 2019 12:59 PM
  • And we can not make it work.

    No one can help you if you do not tell us the details of what specifically "does not work". 

    Your reply is hard to read. Please edit it and remove the HTML markup.

    You need to tell us more about the user accounts and the share and folder permissions.  For starters, I do not recommend creating a share with spaces in the name. It's easier for users if you call it "SharedSpace" or "SharedData" or just "Data". 

    Since you are not using Active Directory, then you need to define local accounts with the same name and  password on both the server and on the workstation where the user logs in. Have you set up the accounts that way?

    What share permission have you defined? Open an admin command prompt and run the net share command. Copy and paste the results. Here is an example where I query the Utils share on my test VM.

    C:\WINDOWS\system32>net share utils
    Share name        Utils
    Path              C:\Utils
    Remark
    Maximum users     No limit
    Users
    Caching           Manual caching of documents
    Permission        Everyone, FULL

    The command completed successfully.

    Next we need to examine the permissions the folder. My Utils share points to C:\Utils.

    C:\WINDOWS\system32>icacls C:\utils
    C:\utils BUILTIN\Users:(OI)(CI)(F)
             BUILTIN\Administrators:(I)(OI)(CI)(F)
             NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
             BUILTIN\Users:(I)(OI)(CI)(RX)
             NT AUTHORITY\Authenticated Users:(I)(M)
             NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
    Successfully processed 1 files; Failed processing 0 files

    To verify that your clients can connect to the server, open a Powershell window on a client. Run these 2 commands. Replace 'test10b' with your server name.


    PS C:\> Test-NetConnection -ComputerName test10b -CommonTCPPort smb
    ComputerName     : test10b
    RemoteAddress    : 192.168.1.7
    RemotePort       : 445
    InterfaceAlias   : Wi-Fi
    SourceAddress    : 192.168.1.2
    TcpTestSucceeded : True

    PS C:\> net view test10b   
    Shared resources at test10b

    Share name     Type  Used as  Comment
    -------------------------------------------------------------------------------
    AdvancedShare  Disk
    SimpleShare    Disk
    Snafu          Disk
    Utils          Disk
    The command completed successfully.


    • Edited by MotoX80 Wednesday, October 16, 2019 5:03 PM
    • Marked as answer by dfalireas Sunday, October 27, 2019 6:08 PM
    Wednesday, October 16, 2019 4:55 PM
  • Hi MotoX80,

    thank you very much for your excellent reply. We have managed to accomplish what we want, because of your reply. The key point that we were missing was that the accounts that should exist on the server MUST necessarily have the same password as on the client Pc's. No matter how many articles we have read in the past, no one had mentioned this. 

    So we have managed to achieve our goal, that couldn't be done, without Michael's and your contribution. As this was a Critical task for us, I would like to thank you once more for taking some of your time to reply to us! 

    Best regards, 

    Dionisis Falireas

    Monday, October 21, 2019 10:19 AM
  • Hi everyone,

    as I have written on my previous reply, everything worked fine for us, after your explanations. However, we are facing a strange problem with only one of the PC's and I am wondering if you can help. One specific PC lets name it for convenience “Test PC”, for some reason can’t view a shared folder that it is shared to it from the server.

    This PC is set up like all the rest, and while all the rest can see the shared folders, this PC can not. We have used exactly the same procedure to set up the shared folders like in any other PC's. It has the same local user administrator name and same local administrator name in server. We ping the server from the Test PC and everything works fine. We shared the folder to Test PC and the PC next to it because they are connected in the same switch and the PC next to it, can view the folder. perfectly.

    Do you have any idea what could cause the problem?

    Best regards,

    Dionisis Falireas

    Tuesday, November 26, 2019 11:25 AM
  • Accessing file shares seems to be a common problem on this forum. I am trying to develop a Powershell script to help users. You can try it and see if it helps you. Run it on both of those machines and see if produces different output.

    Copy and paste it from https://social.technet.microsoft.com/Forums/en-US/f540d1fa-cd72-403c-a746-300ac1dad036/unc-path-not-able-to-access-but-able-to-rdp?forum=winserverfiles 

    Tuesday, November 26, 2019 1:35 PM
  • Hi MotoX80,

    Thank you for your reply. I did what you said and the result was this:

    Found {0} files/folders in admin$ share." -f $files.count
    SmbTest.ps1 Version 1.2
    Running on GRAMMATEIA-2 as user grammateia-2\grammateia-2
    You are running Powershell in administrator mode.
    You are a member of the administrators group.
    Please enter the name of the target machine.: GRAMMATEIA 2
    FQDN =
    Analyzing network adapters
    Found - Wi-Fi - Dell Wireless 1705 802.11b/g/n (2.4GHZ)
    Wi-Fi status is Disconnected
    Found - Ethernet - Realtek PCIe GBE Family Controller
      IP Address is 172.16.10.132, Gateway is 172.16.10.1
      Gateway Ping successful
    This computer's domain is GRAMMATEIA-2
    Doing name lookup on target system GRAMMATEIA 2
    Name lookup failed!!!!
    Please enter the IP address of the target system.: 172.16.10.132
    I will attempt to continue using the IP address in place of the computer name.
    Now lets look at the target IP.
    Target computer's domain is GRAMMATEIA-2
    Domains match, this is good.
    Your DNS Search Suffix list does not contain GRAMMATEIA-2
    This is a problem and should be fixed!!!!!!!
    Testing SMB access...
    SMB test was successful.
    Looking for shares...
    Net view ran.
    I found these shares.
    There are no entries in the list.

    Testing admin shares
    Found 14 files/folders in c$ share.
    Found 103 files/folders in admin$ share.

    ---------

    The PC "Grammateia 2" is the "Test PC" from my previous answer. the one with the problem.

    Please advise

    Best regards,

    Dionisis Falireas

    Thursday, December 5, 2019 3:22 PM

  • Running on GRAMMATEIA-2 as user grammateia-2\grammateia-2
    You are running Powershell in administrator mode.
    You are a member of the administrators group.
    Please enter the name of the target machine.: GRAMMATEIA 2

    s

    You're running on the machine named GRAMMATEIA-2  (GRAMMATEIA dash 2) and you are testing GRAMMATEIA 2 (GRAMMATEIA space 2)????? Do you really have a space in the name? I did not think that was possible. If it is possible, I highly recommend NOT doing that. 

    The target machine should be the server that GRAMMATEIA-2 is not able to access. 

    Thursday, December 5, 2019 4:40 PM
  • Thank you MotoX80,

    The problem was that I created an administrator in the server with the name Grammateia 2, and the user in the PC was Grammateia 2, but the root user (C:/Users/) of the PC was Grammateia-2.

    Thanks again for your time

    Best Regards

    Dionisis Falireas

    Friday, December 6, 2019 4:10 PM