No announcement yet.

File System Permissions

  • Filter
  • Time
  • Show
Clear All
new posts

  • File System Permissions


    This is a little bit of frustration speaking here, so please bear with me.

    I am used to Novell file system rights. When we converted to using Windows server it took a little bit of trial and error for me to figure out how to do the tasks in Windows that I was used to doing in Novell. I'm pretty sure I am now comfortable with blocking inheritance, assigning permissions, etc.

    The one problem I have is that even if I block inheritance to a file or folder, then assign rights on that file or folder, people who are not assigned rights to it can still see it - they just can't do anything with it. In Novell, if a person does not have rights to a file or folder they can not see it.

    For example, say I have a drive with 6 folders and one of the folders is called "HR" and is meant for the HR staff to store documents that they don't necessarily want others to see. In Novell I can set file system rights such that no one but the explicitly assigned HR group can see the folder. They can browse the drive to their heart's content but will never even see the folder called "HR". All they will see is a drive with 5 folders. In Windows I can block inheritance to this folder, but people can still see it. When they click on it they get a message that they don't have access to it - but they still see it.

    Is there any way in Windows to make it so that the folder (or file) can not be seen at all except by those with rights to it?


    Last edited by John Morgan; 15th January 2010, 18:10.

  • #2
    Re: File System Permissions


    My first question to you would be- is the drive that has the 6 folders (including the HR folder) inside of a shared workstation that multiple users log into, or, is the drive that has the 6 folders inside of a file server that is accessed by the various users over the network?

    The solution to the problem would vary greatly depending on that.


    In regard to permission inheritance in windows, my understanding of it is that it only applies to subfolders and files. In other words, let me illustrate with this example:

    Lets say I have a folder on the server- lets call the server 'thehive', lets say its C:\Sharedstuff, and inside of 'sharedstuff' there are multiple other files and folders, including the folder "Thomas".

    Now lets say I have set up C:\Sharedstuff as a network share, using the share name "sharedstuff".

    Users can access sharedstuff by mapping a network drive, or, by going to start -> run -> \\thehive\sharedstuff

    if I went to the security permissions for sharedstuff, and set it to 'everyone' 'full control', then everyone on my network is going to have full access to everything inside of sharedstuff.

    if i go to the properties of "Thomas" and tell it not to inherit permissions, and set the permissions as disallowed for everyone, but read and write access only for the users "thomas" and "thomasfriend", then this directory is going to ignore any of the permissions set on its 'parent'. it will not inherit permissions.


    • #3
      Re: File System Permissions

      Thanks For Replying,

      It's on a file server, not a shared workstation. It's subordinate to a shared folder.

      So I have a folder called offices. Below this I have a folder called admin. Below this I have a folder called Netshare. This folder is shared as Netshare$. In our login scripts we map I: to the Netshare$ share. So everyone has an I: which is pointed to \\Server\Netshare$. In the netshare folder I have various folders created. Some of these are general folders that all users have access to. Some are folders that only certain users or groups have access to. On the ones that are restricted, I have blocked inheritance, and then granted full rights to certain groups. For example the HR folder has inheritance blocked. Then I assigned full rights to the HR group and the Domain Administrators group. So, theoretically only those users in the HR group or the Domain admin groups have rights to it. So what happens is that any user can go to the I: and see the HR folder. When they click into it they get an access denied message. So the security is working functionally. What I want is that if people do not have rights to the folder they should not even be able to see it. When they browse the I:, I want it so that they don't even SEE the HR folder.

      Is that possible?

      Again, thanks for the reply.


      • #4
        Re: File System Permissions

        Windows doesn't hide objects users have no rights to. If you want this, its a relatively new feature since Server 2003 R2. Google Access Based Enumeration.


        • #5
          Re: File System Permissions


          I'll do that.
          Last edited by John Morgan; 15th January 2010, 19:17.