Re: Permissions dilemma

From: "Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx>
Date: Thu, 13 Apr 2006 22:13:10 +0200

Hi Brian,

My first suggestion is not to share out D drive. Share a folder on D drive.
E.g.

D:\Users <- shared
D:\Users\Mike
D:\Users\Brian
....

D:\Data <- shared
D:\Data\IT Files
D:\Data\HR Files
....

Now your users won't have permissions browsing whole D drive. Setting up
permissions can now be done in more then one way. One option would be to
give users "Read & Write" permissions on shares, but only give them
appropriate permissions on NTFS. E.g. users Mike would get Full Control NTFS
permissions on Mike folder but none on Brian folder.

Note: try to avoid using Deny. It will wake your permissions too complex and
very hard to troubleshoot.

Administrators can always use administrative shares to access the drive by
using \\servername\d$ which is hidden share. Note: only members of
administrative group can access default administrative shares by default.

--
Mike
Microsoft MVP - Windows Security

"BrianG" <decc@xxxxxxxxxxx> wrote in message
news:1144954670.584129.238490@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I'm making the transition from Netware NDS to AD to the whole sharing
and NTFS permissions has me a bit twisted. I'm trying to figure out
how I can keep the domain users from being able to browse the root of
Drive D: located on the server. This drive will contain the users home
folders and mailboxes along with many folders which most users have no
business knowing about. It seems no matter what I try, the effective
permissions for individual domain users still shows Traverse folder,
List folder, Read... I've considered Denying these permissions but
some domain users are admins so I can't do it on a group level and I
certainly don't want to start messing with permission at the user
level. Any suggestion on how to prevent the browsing of the root of
\\servername\D: by domain users and allow it only for domain admins?

BrianG

References:
- Permissions dilemma
  - From: BrianG

Prev by Date: Re: USB Hard drives vanish
Next by Date: Server 2003 w/4 NIC's
Previous by thread: Permissions dilemma
Next by thread: Server 2003 w/4 NIC's
Index(es):
- Date
- Thread

Relevant Pages

Re: Minimum NTFS Permissions - Theres such a thing???
... ?2001 Microsoft Corporation. ... HOW TO: Set Minimum NTFS Permissions Required for IIS 5.0 to Work WGID:198 ... " List Folder Contents" ...
(microsoft.public.inetserver.iis.security)
Re: Unable to delete orphaned 1.5 GB System Restore folder
... The fact that the tech support is based in India has nothing to do with the ... If so you may want to leave this folder alone. ... down to all children folders because i can set those permissions to ... try deleting from the command line using system by using the AT ...
(microsoft.public.windowsxp.security_admin)
Re: Unable to delete orphaned 1.5 GB System Restore folder
... The only computers i fix are my own. ... If so you may want to leave this folder alone. ... it includes all subdirectories with inherited permissions. ... try deleting from the command line using system by using the AT ...
(microsoft.public.windowsxp.security_admin)
Re: Word mail merge data source
... "Peter Jamieson" wrote: ... Word on it) then there may be a problem if the folder containing the data ... Word builds a connection string. ... superset of other users' permissions - for example, ...
(microsoft.public.word.vba.general)
RE: no OWA
... have the correct permissions was the "inetpub" folder. ... Correct the settings in IIS: ... click to check the "Hide All Microsoft Services" ...
(microsoft.public.windows.server.sbs)