Read-only network share, yet users can create shortcuts of listed folders and files

A

aronesz

Limp Gawd
Joined
Oct 17, 2011
Messages
389
Greetings,

I am having a problem with a network share on a new system we setup. Here is how the skeleton is structured for a single network drive users have access to:

Z:\
Inside this folder, you have a folder for each international division of the whole company -- i.e. France Division, United States Division, China Division,etc.
  • Share Permissions
    • Authenticated Users
      • Full Control
      • Change
      • Read
    • Domain Admins
      • Full Control
      • Change
      • Read
  • NTFS Security Permissions
    • Authenticated Users
      • Read & execute
      • List folder contents
      • Read
    • Domain Admins
      • Full control
      • Modify
      • Read & execute
      • List folder contents
      • Read
      • Write

Z:\United States Division\
Inside this folder you have a folder for every department -- i.e. Accounting, Engineering, Information Technology. This "United States Division" folder inherits its security permissions from Z:\. On each departmental folder, there is an AD group "US_dpt_Accounting" or "US_dpt_Engineering" (in the form of "<division>_dpt_<department>") with

---------------------------

Users are only supposed to be able to browse the folder skeleton. They can modify/write/change *inside* their own departmental folder. Both of this works.

However, I discovered a "glitch" today. A user can right click on a folder in Z:\ or "Z:\United States Division\" --> Create shortcut... it will actually do it! O_O They cannot however delete, rename, create new folder/file, or copy files into either of these locations (access/permission denied) -- which is good.

How do I fix this? Or what is the proper way to set the permissions on this?
 
If you are sharing folders under a folder with full permissions, you need to change the NTFS permissions under the security tab for each individual folder underneath you are sharing.

Just change authenticated users under the security tab and uncheck everything but "read". This will only give users permissions to read those folders.
 
Tee said:
Just change authenticated users under the security tab and uncheck everything but "read". This will only give users permissions to read those folders.
Click to expand...
What about the option "List folder contents"? (BTW, if I check this box, it will check "Read & execute" automatically.)
 
That should still give you the result you are looking for, they need to be able to open the file, that is what read plus execute is providing.

Is this not giving the result you are looking for?
 
Tee said:
That should still give you the result you are looking for, they need to be able to open the file, that is what read plus execute is providing.

Is this not giving the result you are looking for?
Click to expand...
Will have to get back to you later on that -- currently there are many things in a state of flux. I did do a test on, but it didn't work but that I think is because of a different [but temporary] issue (atm there are many things going on at the same time around in the entire company). I will remember to respond back with results. I greatly appreciate your help!
 
You must log in or register to reply here.
Back
Top