# File & Folder Permissions on Network Share



## mdhall (Sep 15, 2008)

So I have scoured the internet but I cannot find what I am needing. Or at the least I am not sure of the technical terms to search for what I need. That left me with breaking down and asking for help.


Take a look at the folder structure below:

Root
||Folder 1
||||Folder a
||||||Folder b
||||||||Folder c
||||||||||Folder d
||Folder 2
||||Folder 2a
||Folder 3

Currently the user only has access to Folder 2 and Folder 3. They cannot even see Folder 1 because I have ABE (Access-Based Enumeration) enabled on this server share.

In this structure I want to give 'UserA' full access to 'Folder d' but not to anything above it. So if they go to the share they should only see the folders necessary to drill down to Folder d. How do I accomplish this? If I grant full read/write access to Folder d for UserA it does not show up in my folder list because I have not granted read access to the folders above. 
Do I have to go to each folder above and grant read only access for this user? If so this is not what I want. The folder in question could be several -- (9 or 10 +) -- levels deep. It would be cumbersome to have to add permissions on each level. On top of that, if I grant read-only access to Folder1 and Folder a the user will see everything and all folders contained in them. I do not want UserA to see anything else in Folder 1, Folder a, Folder b or Folder c. They should only have access to the contacts in Folder d. 

How would I go about making it so that if I grant full access to Folder d and they can traverse the folders above in order to get to that point?

Hopefully that explains my predicament well enough. Please let me know if I am not clear in what I am wanting to achieve.

Thanks for your help!


----------



## mdhall (Sep 15, 2008)

Forgot to mention what the operating system on the server is if that makes a difference.

Windows Server 2008 R2 SP1
Its role is PDC running Active Directory.
DHCP, DNS, File Services and IIS installed and running. 

Workstations connecting to the server are XP and 7.

Thanks again for looking!


----------



## Rockn (Jul 29, 2001)

I am assuming that root is the root share.


----------



## mdhall (Sep 15, 2008)

Yes, you are correct.

The actual path on the server is "D:\FileServer" with the FileServer folder being mapped through Group Policy as the L:\ drive on the local users computers. 

So 'root' in my above example is actually the L:\ or D:\FileServer folder.


----------



## Rockn (Jul 29, 2001)

It would be easier to use security groups to do this. Remove inherited permissions from the root folder for to any of it's sub folders. Create the security group add the members to that group that should have access to folder D and add that security group to have full access or whatever access is necessary to folder D.


----------



## mdhall (Sep 15, 2008)

We do use security groups. I guess my question should've been applied in principle both to individual users and security groups. 

I will work on this a little bit more tomorrow. 

Evidently what I am missing is what you said about removing inherited permissions from the root folder to any of it's sub folders. Is that something that I have to do at each folder that is under the root folder, or is it a one time change at the root?

Example:
root
||Folder A
||||Folder 1
||||Folder 2
||Folder B
||Folder C

So if I follow correctly I have to go to A, B and C and tell them not to inherit permissions from its parent and then tell A, B and C to send inheritable permissions down to its children 1 and 2? 

Thanks for your help so far!


----------



## Rockn (Jul 29, 2001)

If you remove inheritable permissions from the root you can tell it to cascade to any sub folders or you can do it at any level in the directory structure.


----------



## mdhall (Sep 15, 2008)

OK, I've been working on this all afternoon to no avail. 

I have removed inheritable permissions from the share root. So now the parent folder is each folder within the share root and the permissions from each will in inherited on down. 

We are still having trouble getting it to where if I add full access to UserA 4 folders deep it will grant them permission to drill down through the folders necessary to get to that folder. The only way I've made it possible to get to level 4 in the folder structure is to grant read access to either add read-only access that inherits from the parent folder. But then the user can see all files and folders along the way as they go to level 4.

The only way that I can make it work the way I want is to go to each level and grant read-only access to the folders that they need to drill down through in order to get to level 4 or beyond. This would work but is painstaking as we could be dealing with 10+ levels of folders in dozens of directories. And then if we removed access to say level 5 we would have to go to levels 1, 2, 3, and 4 and remove access instead of just level 5.

I must be missing something simple in order to make this work. 

I appreciate the suggestions so far.


----------



## B-Ris (Nov 17, 2011)

Anyone have an answer to this. I am trying to do the same thing. Still haven't figured it out yet either.


----------



## mdhall (Sep 15, 2008)

I should include a note that I accidentally omitted. 

On our file server we are using Access-Based Enumeration so that a user will only see the folders that they have access to. If I remove ABE from the master share then all folders display and the user can browse to where they need to go. 

While this functions, it is not really the preferred solution. Even though the user can't get in to certain folders I don't like that they can see what folders are there. It may be confusing for some to see 30+folders listed when they only have access to 2 or 3 of them. 

So in summary...my problem is solved if I disabled ABE but it remains an issue if ABE is enabled, which is the preferred method.

Any possible suggestions out there?


----------



## mvirata (Feb 17, 2011)

This is more of a work around but here's an idea.

Root
||Folder 1
||||Folder a
||||||Folder b
||||||||Folder c
||||||||||Folder d
||Folder 2
||||Folder 2a
||Folder 3

We use login scripts to map drives for our users. If a UserA needed access to folder d, then he would get a drive mapping to folder d as well a drive mapping to Folder 2 and Folder 3. We do this also as a way to make things easier for the user. I don't know exactly how your environment is set but if you have a lot of folder d's then this workaround could be worse.


----------



## mdhall (Sep 15, 2008)

mvirata said:


> This is more of a work around but here's an idea.
> 
> We use login scripts to map drives for our users. If a UserA needed access to folder d, then he would get a drive mapping to folder d as well a drive mapping to Folder 2 and Folder 3. We do this also as a way to make things easier for the user. I don't know exactly how your environment is set but if you have a lot of folder d's then this workaround could be worse.


This really wouldn't work for us because we are talking dozens of folders and hundreds of files. It would get really messy real quick. Especially considering we do have several folder d's that will be used. Thank you for the suggestion though!

The ultimate solution is real simple: convince the CEO and GM to restructure the folder system. There is no need to have 20+ folders on the main level. It should be by department at the root level and then break it down inside of those. Then we could easily use user groups to control things instead of going by each user.


----------



## mvirata (Feb 17, 2011)

Good luck with that! It's going to be tough, I've been in that situation many times myself. Think about using our idea once you do get it restructured. It's nice and simple, although you will have to manage more drive mappings via login scripts.

Alternatively, a true collaboration suite like SharePoint is the way to go. I switched from a company that was using SharePoint to one that doesn't and it's a major difference.


----------



## Courtneyc (Dec 7, 2003)

First of all, don't give full control to anyone unless they are a server administrators. The highest permission you ever want to give a user is modify. (Giving a user full control gives them the ability to remove you.)

Second, know the difference between NTFS permissions and Share permissions. In your case, give the user NTFS modify rights to folder D. Then, share that folder to that user with modify permission. When the user access the server, they will see \\server name\folder d. The D folder will appear as the top level folder and the user will not have the ability to go above that folder (provided you did not give them permissions to the above folder). In other words, shares allow a user to go directly to the folder needed without traversing your file system to get there. (This is why you have a Sharing Tab *and* a Security Tab.)

By the way, you are assigning permissions to groups and not users, right?


----------



## SoulCheese23 (Dec 17, 2011)

Courtneyc is right. You just need to understand the difference between Share and NTFS permissions and how you want to apply this - I'm pretty sure you have 2 options.

(Share permissions would always have to be modify at the root if you want to grant write access to Folder d.)

Root
||Folder 1
||||Folder a
||||||Folder b
||||||||Folder c
||||||||||Folder d
||Folder 2
||||Folder 2a
||Folder 3

Read access for NTFS from Folder 1 until Folder d where you can remove inheritable permissions and grant Modify access. You would then have to deny access via NTFS permissions to all of the contents in each sub folder until you got to Folder D. Which is nuts.

OR you can share out Folder D with its own permission based on whichever security group as well as NTFS permissions without having to worry about access to the higher folder structure.


----------

