Shared Folders Permissions

[SilentKagemusha]

I have created and shared a folder on my server called “Finance”. I have also created a domain local security group called “FinancGroup”. I have set the permissions to only share with the aforementioned security group, given administrators, domain admin, and system full control, and FinanceGroup, has read and change. The FinanceGroup also has Modify, Read & Execute, List folder contents, read, and write. I have created two test users, Test (which is in the security group), and Test2 (which is not in the security group. My issue is that they both can see the folder, although the one that isn’t in the security group cannot open said folder. I want it so that only those in the security group can even see the folder. For everyone else it shouldn’t even be listed. I have already enabled access-based enumeration as well. For the life of me though, I cannot seem to get this to work. 

I have discovered that if I share only to the FinanceGroup security group, then only the members of that group have access, as it should be, but the moment I add Administrators and Domain Admins to the share, all users somehow have access to the share. Please help!

[leadeater]

From memory to use access-based enumeration you need to use DFS namespace. Create the share with a $ on the end of it to make it hidden, mount the share in a DFS namespace then set access-based enumeration permissions so only the finance group etc can see it. Use the DFS UNC path to browse or map the share.

[SilentKagemusha]

24 minutes ago, leadeater said:

From memory to use access-based enumeration you need to use DFS namespace. Create the share with a $ on the end of it to make it hidden, mount the share in a DFS namespace then set access-based enumeration permissions so only the finance group etc can see it. Use the DFS UNC path to browse or map the share.

From what I understand DFS Namespaces is for shares across multiple servers, but I am only using a single server. Am I mistaken in this? https://docs.microsoft.com/en-us/windows-server/storage/dfs-namespaces/dfs-overview

[leadeater]

2 hours ago, 無声影武者 said:

From what I understand DFS Namespaces is for shares across multiple servers, but I am only using a single server. Am I mistaken in this? https://docs.microsoft.com/en-us/windows-server/storage/dfs-namespaces/dfs-overview

You can still use if for a single server, it also makes migrations to new servers easier as you can sync the data in the background then re-point the DFS path to the new UNC share path and no updates or remapping is required on the client side.

 

Access-based Enumeration is a DFS only feature though, but I only ever use DFS now anyway as there isn't really a reason not to and you do get some benefits using it.

 

Quote

Access-based enumeration hides files and folders that users do not have permissions to access. By default, this feature is not enabled for DFS namespaces. You can enable access-based enumeration of DFS folders by using DFS Management.

https://docs.microsoft.com/en-us/windows-server/storage/dfs-namespaces/enable-access-based-enumeration-on-a-namespace