Windows – Tool to manage windows shared folders and their permissions

network-securitynetwork-shareshareswindows

I remember there was a tool to easily manage shares for Windows. But I don't remember anything about it.

My case is mostly used configuration but in windows is very hard to manage user permissions for shares.

Lets say I have following structure and two users.

Dropbox

  • Folder A
  • Folder B
  • Folder C
  • Public

User A should be able to edit everything inside Folder A and C. But shouldn't see and access Folder B and should't be able to delete Folder A and C.

User B should have same access rights for Folder B and should not see A and C.

Public folder should be accessible for everyone even if it is a newly created user.

Dropbox folder is automatically synced to web.

Windows gets very confusing and messy when I implement the permissions under folder properties>security>advanced window. I can't understand inheritance and apply to child objects check.

And if I give the access to users under sharing > share window it is simple but user is able to delete root folders if he has right to access it.

Best Answer

Generally you want to apply your restrictions at the NTFS level. Make your share permissions as open as you can (i.e 'Authenticated Users' or 'Everyone' modify access at least) then nail it down with the NTFS security permissions.

I would recommend creating three security groups for each share (Read, Modify and Write) and then assign the permissions for those to the folder. You then add users and groups into those groups to apply permissions. Saves having to edit folder permissions every time a user change role.

If you want to hide folders that users cannot see you will need to enable 'Access Based Enumeration' so in your case I would:

  1. Create a single share called 'Dropbox' and apply 'Everyone' write access
  2. Create the relevant folders with 3 security groups each (Read, Write and Modify) you can just create two (Read and Write) if you want to simplify.
  3. Assign the groups to the folders and give them the permissions stated
  4. Go to 'Server Manager' on the file server and 'File and Storage Services --> Shares --> Right click the share --> Properties --> Settings --> Enable Access Based Enumeration'

What ABE does is hide any resources that the user does not have at least 'Read / List' access to.

EDIT:

Just a thought, but applying Write or Modify permissions at the root folder level (i.e Public in your example) will also allow the users to modify the parent folder. So someone may accidentally rename 'Public' to something else.

To work around this, for the groups with modify permissions (so Write and Modify) set a separate permission for 'Read, write and execute' as 'This folder only' then have 'Modify' Permissions 'Subfolders and files' for example our department drive has the following:

enter image description here

So you can see there are three ACL's but only two groups.

The first one is:

FS.dep.Full.Information Systems - Modify - Subfolders and files

Which allows all members of the group to create and endit all object UNDER the current folder.

Second is:

FS.dep.Full.Information Systems - Read and Execute - This folder only

Which allows the group to only READ the parent folder (Information Systems) but not make any changes to it.

Then:

FS.dep.Read.Information Systems - Modify - This folder, subfolders and Files

Which just gives read access to everything and everyone in the group.

Related Topic