I always use List on the top level. It propagates to the folders but not the files (obviously). The inherit is turned off for the subfolders once they go in and the relevant NTFS permissions added to the subfolders. Coupled with ABE this is probably the most efficient way of doing things that I have found.
2009/5/19 Tom Miller <tmil...@hnncsb.org> > I got it, but I'm not sure it's the "correct" way. Here's what I did: > - Provision the top level share > - set ntfs perms to "list folder contents" for authenticated users and > admins have full control > - set share perms to "change, read" for authenticated users and admins have > full control > - on the sub folders, I set the appropriate AD group to have appropriate > perms > > So now the folders can be seen but the contents not. > > > > >>> "Glen Johnson" <gjohn...@vhcc.edu> 5/19/2009 3:53 PM >>> > > Since you are on server 2008, check out access based enumeration. ABE, > enable that and if a user doesn’t have access to a folder, they can’t even > see it. > > Pretty handy for testing too. > > Create a test user, put them in one group, login as test user and browse > around to see what you can find. Can you access locations you shouldn’t be > able to access? > > Found about 4 users home folders with incorrect permissions in 10 seconds > flat using my test user account. > > > > *From:* Tom Miller [mailto:tmil...@hnncsb.org] > *Sent:* Tuesday, May 19, 2009 3:08 PM > *To:* NT System Admin Issues > *Subject:* Best way to set share permissions? > > > > Brain cramp here....... > > > > I have a top level share called "Data", under which my various departments > have their folders. I provide perms to the sub-folders based on AD > Groups. > > > > I have the logon script set to map a drive to server\data. I don't mind > that anyone can see all the folders under "data", but I want to be sure only > the user with access to data\folder1 cannot open files under data\folder2. > > > > I'm new to file and print under Windows (2008), please pardon my > ignorance. > > > > Tom > > > > Confidentiality Notice: This e-mail message, including attachments, is for > the sole use of the intended recipient(s) and may contain confidential and > privileged information. Any unauthorized review, use, disclosure, or > distribution is prohibited. If you are not the intended recipient, please > contact the sender by reply e-mail and destroy all copies of the original > message. > > > > > > > > > > > Confidentiality Notice: This e-mail message, including attachments, is > for the sole use of the intended recipient(s) and may contain confidential > and privileged information. Any unauthorized review, use, disclosure, or > distribution is prohibited. If you are not the intended recipient, please > contact the sender by reply e-mail and destroy all copies of the original > message. > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
