Re: Folder views for NTFS permissions

From: Mark J. Smith (mjsmith@dol.net)
Date: 01/13/02


From: "Mark J. Smith" <mjsmith@dol.net>
Date: Sun, 13 Jan 2002 18:27:59 GMT

The List permission set on a folder controls whether or not a user can view
subdirectory names and files within a directory, and the Read Data
permission controls reading the data within a file that they can see.

I don't think there is a way directly through NTFS to allow them to see the
existence of the subdirectories they are allowed access to while hiding the
subdirectories they do not have access to if they are all within one parent
directory. You can prevent them from opening the subdirectories, but not
from seeing that they exist.

I will do some testing and see if I can determine a set or rights that will
accomplish what you're trying to do.

"Dave Miller" <dmiller@printcafe.com> wrote in message
news:3f45178a.0201101116.501df19b@posting.google.com...
> Mark,
>
> Thanks for the thorough response here, however this isn't exactly what
> we are looking for. In your recommendation, we would need to have a
> seperate drive letter for the Users folder and then another drive
> letter for Public info. This would work in this one instance, but
> creates other problems when we want to do similar things to other
> folders. In many cases we have numerous folders within a subfolder
> that we do not want the users to be able to see. In other words, back
> to the Users\Public example: Is there a way in NTFS to remove the
> ability to see a folder? For example:
> L drive has the following subfolders:
> Marketing
> NWarea
> SWarea
> NEarea
> SEarea
> Sales
> Largeco
> smallco
> Management
> Susan
> Clairice
> Gerald
> Robert
> Support
>
> User1 only needs access to the Robert folder in Management and I don't
> want him to see the Gerald, Clairice, or Susan folders. I also do not
> want User1 to see the Marketing, Sales, or Support folders.
> User1 (in Novell) would have a drive mapping to L, just like all the
> other users and would only see:
> Management
> Robert
>
> Is there a way to do this in NTFS without mapping separate drives?
>
> Thanks again for any insight.
>
> -Dave
>
>
> So do you know if it is possible to have a situation such as the one I
> quoted below: An H drive with the Users folder and the Public folder
> with vi
>
>
> "Mark J. Smith" <mjsmith@dol.net> wrote in message
news:<M5a%7.238$rU.54825@monger.newsread.com>...
> > Considering some differences between Novell and Microsoft, you may want
to
> > change direction a little bit on this issue.
> >
> > Change the rights on the H:\Public folder itself to Administrative
access
> > only (I always include LocalMachine\Administrators, LocalMachine\System,
and
> > Domain\Domain Administrators with full control). Remove all other
rights,
> > but do not deny access... just leave all other groups out. This will
have
> > the effect of preventing them from viewing the directory and it's
contents.
> >
> > On the subdirectory you want them to have access to, add the user name
(or
> > group) with Change access. Unless you have removed the "Bypass Traverse
> > Checking" right, they will be able to read files from that directory if
they
> > can get to it... which requires the directory to be shared. Share the
> > subdirectory with Change access to the same group.
> >
> > Set the user's home drive in their profile to \\Servername\Username. Do
this
> > by selecting the user name, opening the profile tab, and select Home
Folder,
> > Connect, Drive Letter, and the path. (You can set the default user to
> > \\Servername\%Username% and it will fill it in for new users.)
> >
> > So, assuming on Server1 you have User1 and User2, the NTFS directory
> > permissions would look like this:
> > Public- Server1\Administrators, Server1\System, and Domain\Domain
> > Administrators Full Control. (I would share this with the share
permissions
> > also set to Server1\Administrators, Server1\System, and Domain\Domain
> > Administrators Full Control for maintenance work.)
> > Public\User1- Server1\Administrators, Server1\System, and Domain\Domain
> > Administrators Full Control, User1 Change, shared as \\Server1\User1.
> > Public\User2- Server1\Administrators, Server1\System, and Domain\Domain
> > Administrators Full Control, User2 Change, shared as \\Server1\User2.
> >
> > Assuming you still wanted to use H: for the drive letters, they would
appear
> > to the user as "User1 on 'Server1" (H:)", and only their directory would
be
> > visible.
> >
> > For NTFS information, the first place to start is simply under the
built-in
> > help files... Start, Help, select the Search tab, and type in "ntfs" for
> > general information, and "ntfs permissions" for some more specific
topics.
> >
> > Specific information on NTFS can also be found here:
> >
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/fsys
> > _538t.asp with specific information on access controls here:
> >
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/Se
> > curity/access_control.asp
> >
> > An adaptable process that could save you quite a bit of time can be
found in
> > the Microsoft Knowledge Base at support.microsoft.com. Search for this
> > article:
> > Batch Process to Create and Grant Access to Home Directories (Q155449)
> > Some other useful articles that may be of assistance:
> > Default NTFS Permissions in Windows NT (Q148437)
> > Default NTFS Permissions in Windows 2000 (Q244600)
> > Step by Step: Novell NetWare to Windows NT Migration (Q187789) (For NT
4,
> > but has some applicable information.)
> > How to Restore the Default NTFS Permissions for Windows 2000 (Q266118)
(In
> > case of problems during the learning curve.)
> >
> > In general, the Knowledge Base (Support.Microsoft.Com) and MSDN
> > (MSDN.Microsoft.Com) are excellent references. If you are new to
Microsoft
> > servers, you should also take the time to look through the security
> > information at WWW.Microsoft.Com\Security.
> >
> > I hope this helps. Good luck with the conversion.
> >
> >
> >
> >
> > "Dave Miller" <dmiller@printcafe.com> wrote in message
> > news:3f45178a.0112211337.6db0c5d8@posting.google.com...
> > > We are setting up Windows 2000 AD for File and Print services. We are
> > > moving from Novell's NDS.
> > >
> > > Does anyone know of a way to block the ability to view folders that
> > > the user does not have permissions to? In other words, we have an
> > > H:\Public directory with all the users folders in them. With Novell,
> > > we had the ability to only display the users folder that the
> > > particular user had rights to. With 2000 (NTFS) it seems that the
> > > only option is for them to view all folders within the Public
> > > directory. With Novell, if you gave a user rights to a directory that
> > > was nested 6 folders deep, they automatically were given traversing
> > > rights to find that directory and the path to get there. With NTFS,
> > > it looks quite different. We have to give the user rights through
> > > every folder to get to the one folder he needs access to. Any help
> > > here would be appreciated. Hope you can understand this.
> > >
> > > -Dave
> > >
> > > P.S. Also - any info on the web that you are aware of that clarifies
> > > NTFS permissions would be helpful (we've searched quite a bit and have
> > > found scant info).



Relevant Pages