Hiding Folders to which users don't have rights

[FrauW]

Hello all,
I am running a domain in Windows 2000 and have created a folder structure under our DATA partition. All user data is under this partition however I have implemented NTFS permissions on the folder level to prevent certain users access to certain folders.
Problem is that in my login script I map everyone to(net use g:\\servername\data). Although they can't get into the folders they don't have rights for, they can see that these folders exist. How do I make it so that they only see the folders for which they have rights? I can't hide the folder using $ because then it is also hidden from the system and the login script fails. Also taking away the List Folders permission is only valid for subfolders & files.
Ideas? I know this is possible in Novell but how do you do this in Windows?

Thanks!

 

[SelbyGlenn]

The answer to that is you can't! You can do it if the file server was Netware but NT will always show you every folder(unless the attribute is set to hidden) even if you don't have permissions to see it. It's a great security risk!!

Having said that there is a way of getting round the problem you have and that’s to implement DFS. I have one share on my file server, which is published on the DFS tree. The beauty with DFS is that you can map to a subfolder of the share!

Eg. \\FileServer\Share1

This can be published in the tree and the login script can map to: \\YourDomainName\DFS\FileServerName\Share1\Data001

You can use something like KixScript to use as the login script and get it to map to the appropriate share for the user logging in. This is the method I use for over 500 users and it works a treat. The drive maps to the root of the users private directory so it's impossible for them to see any of the other directories above it.

Hope this helps!


Glenn
BEng MCSE CCA

 

[FrauW]

Thanks for this suggestion. So.. this means if the user has access to 3 out of the 5 folders under data and I write this login script:

net use f: \\YourDomainName\DFS\FileServerName\Data

instead of what I now have

net use f: \\YourDomainName\data

They should map get something like

f:\\Data
|_a
|_b
|_c

and not d and e ??+

2nd question: The DFS in the path \\YourDomainName\DFS\FileServerName\Data

is that actually word for word DFS or is it the name of my DFS root (i know this question is kind of like press 'any' key and people looking for the 'any' key but I want to be sure) ;-)

Thx.

 

[SelbyGlenn]

No for the first bit. If you map to the DATA share via DFS you will still see all the folders. The only advantage of DFS is that you can map to a subdirectory of the DATA share. If someone needs access to only A, B and C then I would suggest either a separate drive mapping to each directory, or the other alternative is to publish directories a,b and c under the same DFS share. The only problem with this though is it will all appear as one logical drive to the user which can be very dangerous.

In answer to your second question, DFS is just the name of the share at the root of your DFS tree. You are prompted to name this when you install DFS.

I would recommend installing DFS on your domain controllers and have a mess around with it. It's quite harmless. Just make sure that the replication settings aren't used (DFS can be used to mirror servers). I believe there is a white paper on Microsoft’s website which is very useful and well worth a read.

Hope this helps,







Glenn
BEng MCSE CCA

 

[FrauW]

Thanks Glenn.