Hiding files/folder shares from users
-
This post is deleted! -
@zachary715 said in Hiding files/folder shares from users:
@dashrender said in Hiding files/folder shares from users:
@black3dynamite said in Hiding files/folder shares from users:
@dashrender said in Hiding files/folder shares from users:
@black3dynamite said in Hiding files/folder shares from users:
Also take a look at your NTFS permissions.
I thought ABE was based on NTFS permissions?
I believe its only for shares.
I think you are correct, but the share permissions is for the entire drive mapping/UNC usage. The NTFS permissions are what actually determine the ABE settings and what the user sees.
This is correct. Share permissions are generally Everyone and NTFS are fine-tuned based on who needs what access. We set this up a couple of years ago and it has been very convenient for our users.
We also do the same thing too. And then we use role-based permissions to make managing permissions easier.
-
@black3dynamite said in Hiding files/folder shares from users:
@zachary715 said in Hiding files/folder shares from users:
@dashrender said in Hiding files/folder shares from users:
@black3dynamite said in Hiding files/folder shares from users:
@dashrender said in Hiding files/folder shares from users:
@black3dynamite said in Hiding files/folder shares from users:
Also take a look at your NTFS permissions.
I thought ABE was based on NTFS permissions?
I believe its only for shares.
I think you are correct, but the share permissions is for the entire drive mapping/UNC usage. The NTFS permissions are what actually determine the ABE settings and what the user sees.
This is correct. Share permissions are generally Everyone and NTFS are fine-tuned based on who needs what access. We set this up a couple of years ago and it has been very convenient for our users.
We also do the same thing too. And then we use role-based permissions to make managing permissions easier.
Yes you definitely want to assign these permissions based on groups and not individual users everywhere possible. Put users into groups, assign NTFS based on those groups. Move users around, in, out, whatever and don't have to change too many permissions.
-
I do have it setup with NTFS permissions, users are added into groups but it doesnt seem to work.
For example.We have Data (E:)
Within E: we have the following paths
E:\Folder1 (group1 share permissions applied)
E:\Folder2 (group2 share permissions applied)
E:\Folder3 (group3 share permissions applied)
E:\Folder4 (group4 share permissions applied)We only want members of group4 to only see Folder4 when they browse to the server \appserver
We are using 2012r2 and ABE is enabled.Still no joy
-
@joel There's a piece missing then. Are you applying ABE on each individual folder, or are you doing it at the top level?
We have it setup such as we have two shares...
D:\Share 1
D:\Share 2ABE is applied to both of these shares. Share permissions are Everyone - Full Control. NTFS is Admin - Full and Users - Read Only. We have run into issues where users accidentally moved a subfolder or added a file at this level. We're small enough that I can manage these so I set it to read-only so people can't accidentally delete a subfolder.
The majority of our users use D:\Share 1\Subfolder. So we might have for instance...
D:\Share 1\Accounting
D:\Share 1\Purchasing
D:\Share 1\Sales
D:\Share 1\IT DeptSo at this point, I'll go in and set the NTFS permissions on each of these subfolders for who should be able to view and access these shares. I'm only applying ABE on the shares themselves at the top level and then setting specific NTFS on the subfolders. So now when salespeople access the share, they only see D:\Share 1\Sales and nothing else.
Hopefully this helps.
-
I have ABE setup the same as you - on each folder share.
Our share permissions are specific in that only the Group has full control (and admin)E:\Folder1 (group1 AND domain admin has full control)
E:\Folder2 (group2 AND domain admin has full control)
E:\Folder3 (group3 AND domain admin has full control)
E:\Folder4 (group4 AND domain admin has full control)Does our server need a reboot perhaps for the permissions to kick in? Can I force them or should it happen immediately?
-
@zachary715 said in Hiding files/folder shares from users:
@joel There's a piece missing then. Are you applying ABE on each individual folder, or are you doing it at the top level?
We have it setup such as we have two shares...
D:\Share 1
D:\Share 2ABE is applied to both of these shares. Share permissions are Everyone - Full Control. NTFS is Admin - Full and Users - Read Only. We have run into issues where users accidentally moved a subfolder or added a file at this level. We're small enough that I can manage these so I set it to read-only so people can't accidentally delete a subfolder.
The majority of our users use D:\Share 1\Subfolder. So we might have for instance...
D:\Share 1\Accounting
D:\Share 1\Purchasing
D:\Share 1\Sales
D:\Share 1\IT DeptSo at this point, I'll go in and set the NTFS permissions on each of these subfolders for who should be able to view and access these shares. I'm only applying ABE on the shares themselves at the top level and then setting specific NTFS on the subfolders. So now when salespeople access the share, they only see D:\Share 1\Sales and nothing else.
Hopefully this helps.
Do you have users read only set to “This folder”?
-
@joel said in Hiding files/folder shares from users:
I have ABE setup the same as you - on each folder share.
Our share permissions are specific in that only the Group has full control (and admin)E:\Folder1 (group1 AND domain admin has full control)
E:\Folder2 (group2 AND domain admin has full control)
E:\Folder3 (group3 AND domain admin has full control)
E:\Folder4 (group4 AND domain admin has full control)Does our server need a reboot perhaps for the permissions to kick in? Can I force them or should it happen immediately?
It sounds to me like you don't have that extra level above Folder 1, Folder 2, etc like I have so you're having to enable ABE on each individual folder. I'm honestly not sure if that's how it's supposed to work or if ABE applies to everything BENEATH the folder you enable it on.
For instance, you might need to actually just enable ABE on your E:\ drive, or insert a folder between E and your other folders (eg E:\SHARE\Folder 1, Folder 2, etc.). Not absolutely sure you need this, I just know it is how it works for us.
But yes try a reboot and see. I don't remember having to but it is Windows....
-
@black3dynamite said in Hiding files/folder shares from users:
@zachary715 said in Hiding files/folder shares from users:
@joel There's a piece missing then. Are you applying ABE on each individual folder, or are you doing it at the top level?
We have it setup such as we have two shares...
D:\Share 1
D:\Share 2ABE is applied to both of these shares. Share permissions are Everyone - Full Control. NTFS is Admin - Full and Users - Read Only. We have run into issues where users accidentally moved a subfolder or added a file at this level. We're small enough that I can manage these so I set it to read-only so people can't accidentally delete a subfolder.
The majority of our users use D:\Share 1\Subfolder. So we might have for instance...
D:\Share 1\Accounting
D:\Share 1\Purchasing
D:\Share 1\Sales
D:\Share 1\IT DeptSo at this point, I'll go in and set the NTFS permissions on each of these subfolders for who should be able to view and access these shares. I'm only applying ABE on the shares themselves at the top level and then setting specific NTFS on the subfolders. So now when salespeople access the share, they only see D:\Share 1\Sales and nothing else.
Hopefully this helps.
Do you have users read only set to “This folder”?
Since you quoted me I'm assuming this question was directed at me, but I'm not following exactly what you're asking.
-
@zachary715 said in Hiding files/folder shares from users:
@black3dynamite said in Hiding files/folder shares from users:
@zachary715 said in Hiding files/folder shares from users:
@joel There's a piece missing then. Are you applying ABE on each individual folder, or are you doing it at the top level?
We have it setup such as we have two shares...
D:\Share 1
D:\Share 2ABE is applied to both of these shares. Share permissions are Everyone - Full Control. NTFS is Admin - Full and Users - Read Only. We have run into issues where users accidentally moved a subfolder or added a file at this level. We're small enough that I can manage these so I set it to read-only so people can't accidentally delete a subfolder.
The majority of our users use D:\Share 1\Subfolder. So we might have for instance...
D:\Share 1\Accounting
D:\Share 1\Purchasing
D:\Share 1\Sales
D:\Share 1\IT DeptSo at this point, I'll go in and set the NTFS permissions on each of these subfolders for who should be able to view and access these shares. I'm only applying ABE on the shares themselves at the top level and then setting specific NTFS on the subfolders. So now when salespeople access the share, they only see D:\Share 1\Sales and nothing else.
Hopefully this helps.
Do you have users read only set to “This folder”?
Since you quoted me I'm assuming this question was directed at me, but I'm not following exactly what you're asking.
On your Share1 and Share2 folder, do you have the Read Only Users permissions applied to "This folder only"? So that you can set the NTFS permissions on each of those subfolders who should be able to view and access those shares.
Because I think that could be the issue @Joel is having issue with.
-
@black3dynamite said in Hiding files/folder shares from users:
@zachary715 said in Hiding files/folder shares from users:
@black3dynamite said in Hiding files/folder shares from users:
@zachary715 said in Hiding files/folder shares from users:
@joel There's a piece missing then. Are you applying ABE on each individual folder, or are you doing it at the top level?
We have it setup such as we have two shares...
D:\Share 1
D:\Share 2ABE is applied to both of these shares. Share permissions are Everyone - Full Control. NTFS is Admin - Full and Users - Read Only. We have run into issues where users accidentally moved a subfolder or added a file at this level. We're small enough that I can manage these so I set it to read-only so people can't accidentally delete a subfolder.
The majority of our users use D:\Share 1\Subfolder. So we might have for instance...
D:\Share 1\Accounting
D:\Share 1\Purchasing
D:\Share 1\Sales
D:\Share 1\IT DeptSo at this point, I'll go in and set the NTFS permissions on each of these subfolders for who should be able to view and access these shares. I'm only applying ABE on the shares themselves at the top level and then setting specific NTFS on the subfolders. So now when salespeople access the share, they only see D:\Share 1\Sales and nothing else.
Hopefully this helps.
Do you have users read only set to “This folder”?
Since you quoted me I'm assuming this question was directed at me, but I'm not following exactly what you're asking.
On your Share1 and Share2 folder, do you have the Read Only Users permissions applied to "This folder only"? So that you can set the NTFS permissions on each of those subfolders who should be able to view and access those shares.
Because I think that could be the issue @Joel is having issue with.
Oh yes I do. If @Joel has Domain/Users group set to Read-Only on all of his shares, then obviously it will not hide them as he expects it to. He'll need to remove this default NTFS permissions and explicitly set only those who actually need read or write permissions. Even if a user has read-only permissions, then clearly they will have access.
Most of the time I go to the underlying shares (D:\Share 1\IT Dept) and on the Security tab under Advanced, I'll say "Change Permissions..." and then uncheck the box that says "Include inheritable permissions from this object's parent". I'll then select to Copy the permissions so it leaves everything that was there and manually remove what I don't want.
-
Here's a decent guide from Spiceworks. He does it the same way I do with a top-level share that has ABE enabled and the folders are all underneath this with the appropriate NTFS permissions.
https://community.spiceworks.com/how_to/45158-configure-access-based-enumeration-server2012
In this scenario, you just map out the same top-level share to everyone's computer via UNC logon script or whatever your method. Then as users need to access something in that share (in your case Folder 1, Folder 2, Folder 3, Folder 4) they just open the top-level share and whatever they have access to they see.
For instance, create a "Data" folder underneath E:. Enable ABE on the Data folder and either disable inheritance here, or you can just disable inheritance on the subfolders as necessary. Then go into the subfolders (Folder 1, Folder 2, etc.) and set the appropriate NTFS permissions. Now everyone accesses their info via one shared folder "Data" but still see only what they need to see. Not a cluster of shares all over the place.
E:\Data\Folder 1
E:\Data\Folder 2
E:\Data\Folder 3
E:\Data\Folder 4When a user accesses E:\Data\ they'll be greeted with whichever folders they have permissions to.
-
@zachary715 better fact check ANY how-to from over there. A quick glance at the comments seems to imply that the how-to is not the easiest way to go at this, and simpler suggestions are offered. But I've never set this up personally... just reminding everyone how much bad info there is on SW.
-
@rojoloco said in Hiding files/folder shares from users:
@zachary715 better fact check ANY how-to from over there. A quick glance at the comments seems to imply that the how-to is not the easiest way to go at this, and simpler suggestions are offered. But I've never set this up personally... just reminding everyone how much bad info there is on SW.
I was hoping the instructions I gave in addition to the screenshots the SW How-To provided would help @Joel out in discovering his issue. I definitely do not intend for him to follow that How-To exactly.
-
@zachary715 said in Hiding files/folder shares from users:
@black3dynamite said in Hiding files/folder shares from users:
@zachary715 said in Hiding files/folder shares from users:
@joel There's a piece missing then. Are you applying ABE on each individual folder, or are you doing it at the top level?
We have it setup such as we have two shares...
D:\Share 1
D:\Share 2ABE is applied to both of these shares. Share permissions are Everyone - Full Control. NTFS is Admin - Full and Users - Read Only. We have run into issues where users accidentally moved a subfolder or added a file at this level. We're small enough that I can manage these so I set it to read-only so people can't accidentally delete a subfolder.
The majority of our users use D:\Share 1\Subfolder. So we might have for instance...
D:\Share 1\Accounting
D:\Share 1\Purchasing
D:\Share 1\Sales
D:\Share 1\IT DeptSo at this point, I'll go in and set the NTFS permissions on each of these subfolders for who should be able to view and access these shares. I'm only applying ABE on the shares themselves at the top level and then setting specific NTFS on the subfolders. So now when salespeople access the share, they only see D:\Share 1\Sales and nothing else.
Hopefully this helps.
Do you have users read only set to “This folder”?
Since you quoted me I'm assuming this question was directed at me, but I'm not following exactly what you're asking.
If everyone has read access to Folder1, then ABE won't make it disappear for anyone, because ABE sees that everyone has read, so they must be allowed to see the files.
-
I did follow the guide exactly and im still able to see the folders i dont want to see
I'm sure its something simple! -
@joel said in Hiding files/folder shares from users:
I did follow the guide exactly and im still able to see the folders i dont want to see
I'm sure its something simple!Are you using DFS Namespace?
-
@joel said in Hiding files/folder shares from users:
I did follow the guide exactly and im still able to see the folders i dont want to see
I'm sure its something simple!you willing to show us a snip of your folder structure? and a snip of the NTFS permissions of the top few folders?
-
I've just deleted everything so my E:\ directory so it's now empty...Willing to start right from the top...
Step1 - Create a folder called SHARED (E:\Shared) and then under properties > Share > Advanced sharing, will call it 'Shared' and give Everyone Full control.
Step2 - I'll then go to security tab > advanced and disable inheritance (converting to explicit objects) and then remove the local users accounts
Step3 - Whilst in advanced security, I'll add in a new principle (Domain Users) to 'this folder only' and apply advanced permissions (list folder/read data)
So far so good? Whats next as i think i go wrong from here!
Step 4 - Create the sub folders under E:\Shared
ie. E:\Shared\Folder1
E:\Shared\Folder2
E:\Shared\Folder3Note: I've created my security groups and put the relevant users in them already so they are on standby.
What permissions can/should I apply to each sub folder?
-
Let's assume you create a group called Folder1 and you want them to have full control.
You need to set the Security settings to Full Control to Folder 1 group and nothing else should be listed.
