File Server rights

[Guest]

I have an issues. I'm new to Active Directory, coming from a Netware
background.

First, I have one file server that is connected to the new domain. I haven't
ran the file server fole utility. Don't think i have to.

On the D drive of this server i have folder that represent each of my
departments. Under the departments, i have a users directory with directorord
under that for each user. Im trying to give users rights to there own
directory, without allowing them to browse under the root users directory and
seeing all the other users directories and info. When they browse through the
network; i only want them to see the directory and or files that they have
rights to.

So far, this is what i have. The server is Server3. On the d drive i have
d:\\department\users\username. With in the properties of the users directory
i have give the user full rights to their own directory. I have shared out
the department directory to a group that all the users in that department
belong to. I left the default security rights for now. They are DomainUsers/
Read & Execute, List Folder Contents, Read, and Special Permission. When i
log into the users workstation, they currently can browse
//server3/department/users/ and see all the other users directories and
files. How Do i have create rights so that users only see their own info.

Thanks for your help in advance

 

[Steven L Umbach]

In Windows 2000/2003 a user can see the contents of a share even if they do
not have read access to the contents. However if permissions have been
configured correctly as I believe you have they should not be able to access
the contents of a folder/file that they have no permissions to and should
get an accessed denied message. I know this is unlike Novell but that is the
way it is in Windows since they have and need list permissions to the
department folder. When using Windows 2003 Microsoft has provided a utility
call Access Based Enumeration that can help hide folders in a share that a
user does not have read permissions to. That of course does not help those
using Windows 2000 Server but at least MS has reacted to the many complaints
about this issue. See the info in the link below if that interests
u. --- Steve

http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx

 

[Roger Abell [MVP]]

I hope Steve does not mind if I attempt to clarify a little.
Particularly, some might find this initial statement perplexing
<quote>
a user can see the contents of a share even if they do
not have read access to the contents
</quote>
The way Windows NTFS works is that execute on a directory
(that is, List) is needed in order to navigate to (browse through
the filesystem) something within the directory.
But, Listing the content of a directory is what people often want
to avoid, especially when coming from Netware.
In order to access a listed file Read is needed on that file, and
in order to navigate to contents of a subdir List on it is needed.
There is no way to prevent this behavior for direct filesystem
access. However, W2k3 and later, if access is by means of
shares then ABE can be used to mask visibility of what is not
within grants of the user of the shares. To effectively use ABE
to accomplish this one may need to refactor how the storage
is structured in order to work with ABE's capabilities.