I've had success with Sysinternals Process Explorer. With this, you can search to find what process(es) have a file open, and you can use it to close the handle(s) if you want. Of course, it is safer to close the whole process. Exercise caution and judgement.
To find a specific file, use the menu option Find->Find Handle or DLL... Type in part of the path to the file. The list of processes will appear below.
If you prefer command line, Sysinternals suite includes command line tool Handle, that lists open handles.
Examples
c:\Program Files\SysinternalsSuite>handle.exe |findstr /i "e:\" (finds all files opened from drive e:\"c:\Program Files\SysinternalsSuite>handle.exe |findstr /i "file-or-path-in-question"
Generally you want to apply your restrictions at the NTFS level. Make your share permissions as open as you can (i.e 'Authenticated Users' or 'Everyone' modify access at least) then nail it down with the NTFS security permissions.
I would recommend creating three security groups for each share (Read, Modify and Write) and then assign the permissions for those to the folder. You then add users and groups into those groups to apply permissions. Saves having to edit folder permissions every time a user change role.
If you want to hide folders that users cannot see you will need to enable 'Access Based Enumeration' so in your case I would:
- Create a single share called 'Dropbox' and apply 'Everyone' write access
- Create the relevant folders with 3 security groups each (Read, Write and Modify) you can just create two (Read and Write) if you want to simplify.
- Assign the groups to the folders and give them the permissions stated
- Go to 'Server Manager' on the file server and 'File and Storage Services --> Shares --> Right click the share --> Properties --> Settings --> Enable Access Based Enumeration'
What ABE does is hide any resources that the user does not have at least 'Read / List' access to.
EDIT:
Just a thought, but applying Write or Modify permissions at the root folder level (i.e Public in your example) will also allow the users to modify the parent folder. So someone may accidentally rename 'Public' to something else.
To work around this, for the groups with modify permissions (so Write and Modify) set a separate permission for 'Read, write and execute' as 'This folder only' then have 'Modify' Permissions 'Subfolders and files' for example our department drive has the following:
So you can see there are three ACL's but only two groups.
The first one is:
FS.dep.Full.Information Systems - Modify - Subfolders and files
Which allows all members of the group to create and endit all object UNDER the current folder.
Second is:
FS.dep.Full.Information Systems - Read and Execute - This folder only
Which allows the group to only READ the parent folder (Information Systems) but not make any changes to it.
Then:
FS.dep.Read.Information Systems - Modify - This folder, subfolders and Files
Which just gives read access to everything and everyone in the group.
Best Answer
These folders are specific to Windows Server Essentials edition.
Unless you have very good reason to mess with these folders (and are willing to put up with the complaints of the Server Essentials Dashboard), you should leave these folders alone. If you must do anything, disable the share on the specific folder you don't intend to use, but do not delete the underlying folders. Should you later need the folder, it's much easier to re-share a folder than recreate it from scratch given the specific NTFS security permissions they invariably require.
As for the
CertEnrollfolder, leave that alone, else you'll break your Certificate Services.Disabling the shares assigned to the folder will prevent users from accessing them over the network. Anyone logging directly into the server can easily ignore the folders, as should be done with most all default folders provided in a clean OS installation.
Here's a description of the various folders you inquired about:
CertEnroll
As @Katherine Villyard has correctly indicated, this folder is used by Active Directory Certificate Services for certificate enrollment.
Specifically, the TechNet article Changes implemented by Essentials Role on Windows Server 2012 R2 indicates this folder is configured in the IIS default website:
Users
According to the TechNet article Manage User Accounts in Windows Server Essentials:
Shared Folders
According to TechNet article Use Shared Folders in Windows Server Essentials:
ServerFolders
The
\ServerFoldersfolder stores a variety of data: