problem with this approach is that they don't see anything
underneath the Management share - and since you can only map a single share to a
drive letter, you'd have to introduce multiple mapped drives to achieve this
goal, which is what Windows admins have done all along, e.g. if someone is
member of two of the groups (e.g. write on Sales, but read on Finance...).
In large environments this becomes rather messy... - thus
the new Access Based Enumeration feature in 2003 SP1.
/Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr InDyne/Enterprise IT Sent: Monday, January 24, 2005 5:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hide Subfolders with NTFS Permissions You can. You just have to deny them "list folder
contents", and they can not see what's in the folder, that coupled with a denied
read should take care of it.
Personally, I'd create new shares for Sales and Finance and
map those straight to M:. Then map your Management to M: for your
respective groups.
//SIGNED//
------------------------------------------------
David J. Perdue Network Security Engineer, InDyne Inc Comm: (805) 606-4597 DSN: 276-4597 ------------------------------------------------ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Monday, January 24, 2005 08:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Hide Subfolders with NTFS Permissions Hello
all: Management has requested a NTFS
permissions structure that “hides” certain subfolders. Here’s what I want to
do: Folder -> NTFS Permission by
Group \Management (share) ->
Managers \ Legal ->
(inherited) \ HR ->
(inherited) \ Sales -> Managers and
Sales \ Finance -> Managers and
Bookkeepers For people in the Managers group,
\Management maps as M: and they see and have access to all
subfolders. For Sales folks, \Management maps as
M: but they only see and have access to
\management\sales For Bookkeepers, \Management maps as
M: but they only see and have access to
\management\Finance Is this possible? Or practical? Does this violate some “best
practices”? Thanks. --
nme |