Restricting SMB Folders in Domain

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • JR2ALTA
    Service Manager

    Site Contributor
    1,000+ Posts
    • Feb 2010
    • 2014

    Restricting SMB Folders in Domain

    I had a fun install today. The client had outside IT that he wasn't a big fan of so he gave me free reign to experiment on his domain controller.

    What we wanted to do.

    Create a domain user "Scanner" for universal authentication -- No problem.

    Create a Share Folder with ten or so Subfolders for each employee -- No Problem.

    Create a Mapped drive on every workstation to see the "Scan and Subfolders" -- No Problem.

    Restrict the Bosses folders so no one else could open them -- MAJOR PROBLEM


    It seems all the Sharing/Security settings, no matter how granular, could not do this.

    The permissions are based on Groups so if I restrict "Users" or "Everyone" in anyway it takes effect on Scanner and Bosses and therefore doesn't work.

    Owl? Anyone?
  • rthonpm
    Field Supervisor

    2,500+ Posts
    • Aug 2007
    • 2835

    #2
    Re: Restricting SMB Folders in Domain

    Depending on the server in use, Access Based enumeration is what you'll want to use. What you need to do is set the permissions on the subfolders, not the shared folder.

    The shared folder should be set with Read permissions for the group Domain Users. You want them to see the folder, but we'll be protecting the contents.

    On each subfolder, change the security settings by right clicking on the folder and choosing Properties, Security and then Advanced. On the Permissions tab, click Change Permissions and uncheck the option for Include inheritable permissions from this object's parent. In the warning you'll get, choose the option to Add. Then remove the Domain Users group. Click OK and then from the regular Security tab, edit the permissions to give the appropriate AD group and the copier's AD account modify rights to the folder. You'll want to do that for each subfolder.

    The advantage of this is that every user will only have access to folders that are linked to AD groups they are a part of, and will not even see folders that they do not have permissions to.
    It's a lot of steps, but once you get the process down, it's very easy.

    Sent from my BlackBerry using the Android app.

    Comment

    • Kyo fan
      Trusted Tech

      250+ Posts
      • Dec 2013
      • 368

      #3
      Re: Restricting SMB Folders in Domain

      rthonpm is right. It's more work but it will get the job done in your case.

      Comment

      • jhalfhide
        Trusted Tech

        250+ Posts
        • Apr 2015
        • 450

        #4
        Re: Restricting SMB Folders in Domain

        Oh and a deny will always take precedence over an allow.


        Sent from my iPhone using Tapatalk

        Comment

        • rthonpm
          Field Supervisor

          2,500+ Posts
          • Aug 2007
          • 2835

          #5
          Re: Restricting SMB Folders in Domain

          Originally posted by jhalfhide
          Oh and a deny will always take precedence over an allow.


          Sent from my iPhone using Tapatalk
          Deny is never a good option to use, especially when dealing with permissions assigned by groups. Also, whitelisting is a lot easier than blacklisting any day of the week.

          Comment

          Working...