RE: [ActiveDir] Hide Subfolders with NTFS Permissions

[Noah Eiger]

Thanks everyone. That’s what I figured. Using the method below, don’t I run into having to Deny all other groups on each subfolder? There is no simple way of saying “Deny everyone except Managers”, right?   The simpler approach is to pull Sales and Finance out of Management and make them separate shares. Alternatively, I could put them under a folder with more inclusive top-level permission and then restrict them, right?   -- nme   From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Monday, January 24, 2005 9:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hide Subfolders with NTFS Permissions   problem with this approach is that they don't see anything underneath the Management share - and since you can only map a single share to a drive letter, you'd have to introduce multiple mapped drives to achieve this goal, which is what Windows admins have done all along, e.g. if someone is member of two of the groups (e.g. write on Sales, but read on Finance...).   In large environments this becomes rather messy... - thus the new Access Based Enumeration feature in 2003 SP1.   /Guido   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr InDyne/Enterprise IT Sent: Monday, January 24, 2005 5:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hide Subfolders with NTFS Permissions You can.  You just have to deny them "list folder contents", and they can not see what's in the folder, that coupled with a denied read should take care of it. Personally, I'd create new shares for Sales and Finance and map those straight to M:.  Then map your Management to M: for your respective groups.   //SIGNED// ------------------------------------------------ David J. Perdue Network Security Engineer, InDyne Inc  Comm: (805) 606-4597    DSN: 276-4597 ------------------------------------------------     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Monday, January 24, 2005 08:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Hide Subfolders with NTFS Permissions Hello all:   Management has requested a NTFS permissions structure that “hides” certain subfolders. Here’s what I want to do:   Folder  ->  NTFS Permission by Group \Management (share)    -> Managers     \ Legal -> (inherited)     \ HR -> (inherited)     \ Sales -> Managers and Sales     \ Finance -> Managers and Bookkeepers   For people in the Managers group, \Management maps as M: and they see and have access to all subfolders. For Sales folks, \Management maps as M: but they only see and have access to \management\sales For Bookkeepers, \Management maps as M: but they only see and have access to \management\Finance   Is this possible? Or practical? Does this violate some “best practices”?   Thanks.   -- nme