5

We have a staff member who requires access to a single folder in the root of a network share. All other files and folders in the share should be inaccessible to them.

I thought if I added only "Traverse Folder / Execute File" and "Traverse Folder / List Data", it would be enough for the user to browse the root of the share; however, they are denied access to the network share itself with only these permissions and so cannot drill down to the subfolder they need access to.

My goal is to grant only the absolute minimum permissions necessary for folder traversal of the root of the network share.

Ideally, I want any new folders created in the root of this share by other users to automatically restrict access to the user in question (so new folders should not inherit traversal permissions for the user).

Here are the NTFS options I have to choose from:

enter image description here

Just to be clear: the reason I am not simply using explicit deny permissions on the other subfolders is because I need any new subfolders created by staff to automatically inherit permissions which prevent the new user from accessing them.

I've never used the traversal permissions before, so am most likely making a basic mistake here.

Any advice would be appreciated.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
Austin ''Danger'' Powers
  • 1,160
  • 6
  • 20
  • 50

2 Answers2

7

You want Traverse Folder and List Folder like you've listed and you want to set the drop down at the top to This folder only. Then you need to set whatever other permissions you want that user to have on the explicit subfolder that they should have access to.

If you can't get into the root folder with what you've posted, it's likely because of the folder's share permissions and not the NTFS permissions - double check those.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • 2
    If you enable access based enumeration on the share you get the added benefit of the user only seeing folders they can access. – Molotch Feb 15 '14 at 12:20
  • @MDMarra: thanks for the "This folder only" tip. The problem was that the explicit deny permission on the root of the folder was set to "this folder, subfolder and files", when it should just have been "subfolder and files only". The share permissions were fine, and there was not even any need for me to use traverse permissions on the root of the share, as the user is a member of a security group which gives access to the root of the share anyway. My screenshot didn't show the deny permissons, which had a separate entry. Works great now. Just needed a minor tweak as deny was overriding access. – Austin ''Danger'' Powers Feb 15 '14 at 13:57
  • @Molotch: I've heard of Access-Based Enumeration many times before and I've often wished there was an easy way of only allowing users to see what they had access to. Little did I know that that was exactly what ABE does! Apparently this is supported on SBS 2003, so I will be experimenting with this today. Thanks for mentioning that. Pretty excited to get this feature working. – Austin ''Danger'' Powers Feb 15 '14 at 14:02
5

All users have the Bypass Traverse Checking user right by default, so my suggestion would be to not assign the permissions for the user the way you have but instead to assign the permissions for the user only on the file you need them to access and then give them a shortcut to that file. That will allow them to access the file without having to directly navigate through the shared folder to find the file.

http://technet.microsoft.com/en-us/library/cc739389(v=ws.10).aspx

If you need them to directly traverse/browse the shared folder structure then you'll have to do it the way MDMarra suggested in his answer.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • I've got it working the way I originally wanted now but will read up on Bypass Traverse Checking as I don't fully understand the implications of using that yet. Thanks. – Austin ''Danger'' Powers Feb 15 '14 at 14:07