Announcement

Collapse
No announcement yet.

ABE in 2008...help?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ABE in 2008...help?

    Hi all!

    I am in the process of migrating our file servers from NetWare to Server 2008, and I am very much wanting to take advantage of ABE.

    I have tried this every which way I can think of, with every possible combination of Share rights and NTFS rights...here's the two results I can get:

    1- regular Domain User can browse to the share remotely, and can see every single directory (and ALL sub-directories) on the share (but directories only, no files). He can only see files inside the 2 (out of 20) sub directories, as those are the only two he has explicit rights to.

    2- user can access the directory I have given him explicit access to. But, if he tries to browse to the share (or even access the directory from it's parent directory) he gets "access denied". So, no browsing...either type the full path to the directory, or you don't get there.

    Neither one of these strikes me as the intended result of this feature...can someone please tell me what I could be doing wrong? I am starting to think there may be a problem on the file server, as the info I can find basically makes this sound like a piece of cake to implement.

    Thank you very much in advance.

  • #2
    Re: ABE in 2008...help?

    ok...update...

    I have now made it so my domain user can browse to the share, and only sees the one folder he should. That part seems to be working . I started over, made a new share, and followed the step-by-step here: (3/4 of the way down, posted by uk_network) http://forums.petri.com/showthread.p...&highlight=abe

    But now, if I go into a directory a few layers deep into the share, and then give the group this guy is in full control of a nested directory, he can't browse there.

    For instance...

    my share is \\fileservername\VOL2

    under there, we have groups\hr\docs\newhireforms


    I want to grant access to the supervisors group (which this guy is in) to the newhireforms directory, but NOT to the rest of the HR directory. How do i make it so my user can browse to the file server, and be able to navigate from the VOL2 share on down to this directory, without him seeing anything else on the way down but the explicit folder path he needs to get to the newhireforms?

    In NetWare, all I have to do is grant access to the directory (no matter if it is nested 200 layers deep in the share) to a group, and immediately users in that group can navigate there from the root of the volume (share). All they see is the path to the directory...nothing else.

    Again, any help is very appreciated.

    Comment


    • #3
      Re: ABE in 2008...help?

      Share the new hire folder, and give specific rights to it (not inherited). That way he can browse right to it on the network and won't even see the folders above.

      Comment


      • #4
        Re: ABE in 2008...help?

        Thanks for the reply!

        I am trying to do just that, and have, in fact, done just this (applied explicit rights to that folder, not inherited).

        And what I am experiencing so far is that you are 1/2 right...he cannot browse to it on the network precisely because you are correct in that he cannot see any folders above the one he has rights to.

        For instance...

        the UNC path to the folder he has rights to (on the Share 'VOL2") is:

        \\fileservername\VOL2\groups\hr\docs\newhireforms

        If he goes directly to this UNC path, he sees what he should. If he tries to browse to the location starting at the share root, he gets access denied. Even trying to go to:

        \\fileservername\VOL2\groups\hr\docs

        gives 'access denied'.

        Currently in NetWare, I have quite a few users who are in multiple groups, and they currently map to the root of the groups directory via login script and can see and access the multiple group directories from there (and can navigate as need be). Unless I can get this to work, I am going to have to re-map their drive mappings so they map to each individual group.

        Comment


        • #5
          Re: ABE in 2008...help?

          You will notice that in addition to permissions there is also security that needs to be set. You will have to go to the root and allow "everyone" (or a specific group) the ability to list contents. This will enable them to drill down to the folder(s) they have access rights to.

          Night and day huh?

          Comment


          • #6
            Re: ABE in 2008...help?

            Are the file (ntfs) and share permissions set correctly?
            Have you checked the ownership of the folders?
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: ABE in 2008...help?

              If I give the "list folder contents" rights to Auth Users, then he can see everything, whether he has rights or not.

              Here's how it is set now:

              VOL2 is the share. It is the SAN drive.

              Share permissions:
              Authenticated Users (Change, Read)
              Administrators (local machine group) (Full Control, Change, Read)

              NTFS permissions:
              Creator Owner (god rights in the special permissions)
              System (Full control)
              Administrators (local machine group) (full control)

              Now, I have found that I must add Authenticated users here, or I cant get to anything (even a direct UNC path to a folder my user has explicit rights to).

              I have tried it with (starting from top to bottom, one at a time, and with results listed):

              Traverse Folder / Execute File (get access denied, even to the full unc path)
              Read Permissions (same result as above)
              List Folder / Read Data (Now I can see everything!)


              I then went into one of the root folders and removed the inheritance, copied the rights down, then removed Authenticated Users there.

              Now I can get to the full UNC path, but no browsing to it (access denied if you try to get there via browsing or by partial path)

              Is there no middle ground in AD?

              Comment


              • #8
                Re: ABE in 2008...help?

                Well there is nobody who has access based on NTFS permissions.
                You should add the users (better is to add groups) and give them rights on the NTFS permissions.
                You don't need Authenticated users over there.
                Self created groups (where the users are member of) should be enough.
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: ABE in 2008...help?

                  Originally posted by Dumber View Post
                  Well there is nobody who has access based on NTFS permissions.
                  You should add the users (better is to add groups) and give them rights on the NTFS permissions.
                  You don't need Authenticated users over there.
                  Self created groups (where the users are member of) should be enough.

                  As I said, I have given the user explicit rights to the folder in question.

                  Full control.

                  I have even tried it by adding him as an individual (as opposed to a group he is in, as I normally would) just in case windows made a distinction.

                  If I take out the authenticated users on the NTFS permissions on the root of the share, he cannot get to the folder at all. Not even with the full UNC path. Once I do as I said in my last post (with authenticated users) he can get there only via UNC path. Either that, or he can see everything on the way to the one folder he has access to.

                  Comment


                  • #10
                    Re: ABE in 2008...help?

                    Well here is standing something else:

                    Share permissions:
                    Authenticated Users (Change, Read)
                    Administrators (local machine group) (Full Control, Change, Read)

                    NTFS permissions:
                    Creator Owner (god rights in the special permissions)
                    System (Full control)
                    Administrators (local machine group) (full control)
                    I don't see any user who has rights?
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: ABE in 2008...help?

                      Those are the permissions for the Share and NTFS when I go to the properties of the share (VOL2, the d:\ drive) in the Share and Storage Management and right-click on the share.

                      I have one share...VOL2.

                      Here's what I am trying to do...

                      my user is in a SG called 'supervisors'

                      I right click on the directory I need for him to be able to access (newhireforms) and add the SG supervisors, and (for this example) give them full rights.

                      the full unc path is \\fileservername\VOL2\groups\hr\docs\newhireforms

                      If I log in as myself (the admin) I can see all the files on the server share (as I should). Here is what it looks like physically:

                      Vol2 has several directories (users, groups, etc...)
                      hr has several directories and files (dozens)
                      docs has several directories, including the one I want my user to see (newhireforms)

                      When he types in \\servername, I want him to see nothing but groups at the root. when he clicks through, he should see nothing but the hr directory inside of groups. Then, he should only see docs inside hr, then he should only see newhireforms inside docs. Of course, he needs to be able to see everything inside newhireforms.

                      Is AD simply not intelligent enough to understand he needs to be able to traverse the path to get to the directory he has rights to?

                      Or am I missing something?

                      Comment


                      • #12
                        Re: ABE in 2008...help?

                        Oh, and thank you for your assistance...I really do appreciate it, though I may come across as grumpy. I am just feeling frustrated trying to make these file shares function properly.

                        Comment


                        • #13
                          Re: ABE in 2008...help?

                          So map a drive! Setup an HR group and add a mapping to the newhire folder to the login script, voila! Then they don't have to network browse.

                          List folder contents only allows top level view, allowing them to drill down. They can't get into folders they don't have specific rights to.

                          Comment


                          • #14
                            Re: ABE in 2008...help?

                            Originally posted by Debbie View Post
                            So map a drive! Setup an HR group and add a mapping to the newhire folder to the login script, voila! Then they don't have to network browse.

                            Therein lies the problem...

                            If this was a one-user issue, I would do so. This is simply an example. I have hundreds of users and about 100 or so groups to migrate here. Many users have multiple group memberships.

                            I want them to be able to network browse. Some of these groups (and even some specific people) have rights to files and folders that are scattered all over (we're talking stuff going back 10+ years). I really would rather let them access the files the way they are accustomed to, as it makes it easier for them (familiarity) and it keeps me from having to double, or triple their mapped drives.

                            I realize I could completely redesign the structure of the network files to suite the (so far) apparent limitations of AD. I also realize I could just go from having the average user map 5 or 6 network drives to having them map 10 or 12. But, considering the AD login script already takes 3 times as long to run (compared to the NetWare one), I am not really excited about the prospect of adding to it.

                            I am trying to make AD work like a real directory instead. Hopeless cause?

                            Comment

                            Working...
                            X