I have a domain running on a virtual windows server 2012 R2. Another virtual servers hosts our file server. To that end I need a shared folder accessible by all domain users. No problem there. However I would now like to restrict the access to the subfolders, and if possible not list those folders if they do not have access to them. In those subfolders they are allowed to do anything they like.
Let me illustrate this:
We have domain users Alice and Bob, shared folder Z: with
subfolders K, L, M.
Alice has access to K and L.
Bob has access to L and M.
Both should have be able to open Z. Alice sees folders K and L, whereas Bob sees folders L and M.
If Alice creates something in L, Bob can remove or modify it.
I have been messing around with share access, permissions and access-based enumeration, but so far no combination has got me close to what I need. Any suggestions are welcome. Thanks!
My biggest problem is probably:
How do you give everybody access to the shared folder, but restrict basically all permissions in that folder at the same time (except for viewing the subfolders they should have access to)
Best Answer
My mistake was to let the default permissions be. I suspect the CREATOR OWNER might have been impeding my progress. If you instead get rid off all the inherited permissions, you will only end up with your current account's permission.
You can leave the share permissions as is (Everyone full access), because the effectual permission is determined by the intersection of share and NTFS.
Make sure that access-based enumeration is enabled so that only accessible files / folders are visible.
Then add the domain users such that they can read and execute.
All that is left to do is to add the appropriate permissions to the subfolders.
Note however that if you remote desktop into the file server and view the shared folder, all folders will be visible, though only those with permission can be accessed, due to the fact that the access-based enumeration only works on shared folders.