Sensitive Folder's Display In Active Directory

[rrusniac]

Group,

When using Active Directory, there are many sensitive
folders which users should not even know exist. When a
user accesses a directory some users should see the data
and other users should have NO knowledge the folder
exists. What is the most best way to achieve this. I
have been in touch with Microsoft and there does not
appear to be a solution.

One thought was to use FTP. The problem is, as an admin I
will have to manage 2 sets of user files. Is this
accurate? Is there an FTP program (if this is my best
course to hide folders from users) that will integrate
user management with Microsoft 2000 Server?

Sincerely,

Robert Rusniaczek

 

[Herb Martin]

Sort of a confusing request. AD is not directly related to file
"folders" very much.

Sure you must share SysVol but users don't usually explore that;
and you can use a GPO to set permissions but that is more about
LOCKING down file areas rather than adding exposure.

None of this seems related to FTP.

What are you trying to accomplish specifically...?

 

[rrusniac]

Sorry...

Should have been more descriptive.

When using FTP you are able to make directories/folders
not visable to users. I am trying to achieve the same
thing with Windows 2000 as is possible with FTP.

example: User A and B
Want User A to see directory c:\temp, also want user A to
be able to list contents of c:\temp.

Want User B to see only c:\ and User B should not be able
to see the c:\temp folder.

Therefore User A view is:
directory structure

c:\
c:\temp

and
User B view is
directory structure
c:\


T

 

[Ace Fekay [MVP]]

In

Sorry...

Should have been more descriptive.

When using FTP you are able to make directories/folders
not visable to users. I am trying to achieve the same
thing with Windows 2000 as is possible with FTP.

example: User A and B
Want User A to see directory c:\temp, also want user A to
be able to list contents of c:\temp.

Want User B to see only c:\ and User B should not be able
to see the c:\temp folder.

Therefore User A view is:
directory structure

c:\
c:\temp

and
User B view is
directory structure
c:\


T

That's an issue with the MS FTP service. It does not hide other folders in
an FTP root structure properly even if using NTFS to deny access. They can
still see the folders.

One of my clients allows access to their customers by FTP to upload work
orders. But they need to hide the other customer folders. One solution was
to use a 3rd party FTP server. I've found that ServU is the best around for
this functionality. Works like a charm.

Rhinosoftware's ServU FTP server:
http://www.serv-u.com/

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Herb Martin]

Not really -- visibility is dependent on being able to READ
the PARENT directory. If both can read the parent directory
then both can see files or directories within it.

You can of course, isolate your shares so that only the desired
directories appear. You can also make sure that a visible directory
is not accessible. You can ensure that NEITHER user can "see"
directories but still change to them IF they have sufficient permission
and this can be differentiated.

 

[Brendon Rogers]

While its not a solution, Novell Netware does this. Expect MS to introduce
this as a "feature" (i.e not a fix) in one of the later releases. Great, we
have the GUI redisigned once a year but important items like this are
ignored.

 

[Laura A. Robinson]

circa Sat, 25 Oct 2003 12:42:55 -0400, in
microsoft.public.win2000.active_directory, Ace Fekay [MVP]
(PleaseSubstituteMyActualFirstName&[email protected]) said,

That's an issue with the MS FTP service. It does not hide other folders in
an FTP root structure properly even if using NTFS to deny access. They can
still see the folders.

In IIS 6, this limitation is gone.

Laura

 

[Laura A. Robinson]

circa Sat, 25 Oct 2003 20:18:27 -0400, in
microsoft.public.win2000.active_directory, Brendon Rogers
([email protected]) said,

While its not a solution, Novell Netware does this. Expect MS to introduce
this as a "feature" (i.e not a fix) in one of the later releases. Great, we
have the GUI redisigned once a year but important items like this are
ignored.

Um, it's actually pretty easy to accomplish what the poster wants.
Share the folders as hidden shares ($ appended to end of share name),
then map drives to the shares on behalf of users who need access to
them. Set permissions accordingly. Hidden shares do not appear when
browsing, although they can be mapped to directly.

DFS can be useful in managing this, as well.

Laura

 

[Brendon Rogers]

Sorry - thats not a solution either. How many shares and network drives will
you end up with?

 

[Ace Fekay [MVP]]

In

In IIS 6, this limitation is gone.

Laura

Finally !!!
Well, I just sold this one client on ServU and they're actually really happy
with it. Hate to tell them about IIS6! But then again, don't think they're
ready to upgrade anyway just yet.




Ace

 

[Laura A. Robinson]

circa Sun, 26 Oct 2003 15:45:58 -0500, in
microsoft.public.win2000.active_directory, Ace Fekay [MVP]
(PleaseSubstituteMyActualFirstName&[email protected]) said,

Finally !!!
Well, I just sold this one client on ServU and they're actually really happy
with it. Hate to tell them about IIS6! But then again, don't think they're
ready to upgrade anyway just yet.

They should be. IIS6 is a *whole* different animal, and it rocks.

Laura

 

[Laura A. Robinson]

circa Sun, 26 Oct 2003 07:12:58 -0500, in
microsoft.public.win2000.active_directory, Brendon Rogers
([email protected]) said,

Sorry - thats not a solution either. How many shares and network drives will
you end up with?

When did the OP tell you that it wasn't a solution for him? Don't
dismiss it because you don't like it; it doesn't change the fact that
it *does* work.

Laura

 

[Brendon Rogers]

OK, it does work but its neither elegant nor scalable. My comment was not
necessarily that it would or wouldn't work for the OP specifically but
rather for the Windows user-base as a whole.

 

[Ace Fekay [MVP]]

In

circa Sun, 26 Oct 2003 15:45:58 -0500, in
microsoft.public.win2000.active_directory, Ace Fekay [MVP]
(PleaseSubstituteMyActualFirstName&[email protected]) said,
They should be. IIS6 is a *whole* different animal, and it rocks.

Laura

Awesome. One question since I got you on this and I haven't tested this yet.
Does it offer resuming broken downloads, as does ServU?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ace Fekay [MVP]]

In

OK, it does work but its neither elegant nor scalable. My comment was
not necessarily that it would or wouldn't work for the OP
specifically but rather for the Windows user-base as a whole.

As our other discussion on W2k3 and ServU is based on, I would suggest one
of them for a more "elegant" (if you like to call it that) solution.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Laura A. Robinson]

circa Mon, 27 Oct 2003 18:45:14 -0500, in
microsoft.public.win2000.active_directory, Ace Fekay [MVP]
(PleaseSubstituteMyActualFirstName&[email protected]) said,

Awesome. One question since I got you on this and I haven't tested this yet.
Does it offer resuming broken downloads, as does ServU?

FTP restart? Sure, but so does IIS5.

Laura

 

[Laura A. Robinson]

circa Mon, 27 Oct 2003 17:39:43 -0500, in
microsoft.public.win2000.active_directory, Brendon Rogers
([email protected]) said,

OK, it does work but its neither elegant nor scalable. My comment was not
necessarily that it would or wouldn't work for the OP specifically but
rather for the Windows user-base as a whole.

Okay, fair enough.

Laura

 

[Ace Fekay [MVP]]

In

circa Mon, 27 Oct 2003 18:45:14 -0500, in
microsoft.public.win2000.active_directory, Ace Fekay [MVP]
(PleaseSubstituteMyActualFirstName&[email protected]) said,
FTP restart? Sure, but so does IIS5.

Laura

I tested it with Cute and FlashFXP and didn't work for me in IIS5. I'll try
it again tomorrow, since coincidentally I'm doing a 2295 this week.

Actually they call it resuming, not restart. Now trying to get the
terminology straight, "restart" would start it back from the beginning, as
the name implies?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Laura A. Robinson]

circa Tue, 28 Oct 2003 18:05:21 -0500, in
microsoft.public.win2000.active_directory, Ace Fekay [MVP]
(PleaseSubstituteMyActualFirstName&[email protected]) said,

Actually they call it resuming, not restart. Now trying to get the
terminology straight, "restart" would start it back from the beginning, as
the name implies?

Nope, ftp restart.

http://www.faqs.org/rfcs/rfc959.html



Laura

 

[Ace Fekay [MVP]]

In

circa Tue, 28 Oct 2003 18:05:21 -0500, in
microsoft.public.win2000.active_directory, Ace Fekay [MVP]
(PleaseSubstituteMyActualFirstName&[email protected]) said,
Nope, ftp restart.

http://www.faqs.org/rfcs/rfc959.html



Laura

Thanks for the link. REST, nice! All this time I *assumed* it didn't support
it.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory