5

We have a staff member who requires access to a single folder in the root of a network share. All other files and folders in the share should be inaccessible to them.

I thought if I added only "Traverse Folder / Execute File" and "Traverse Folder / List Data", it would be enough for the user to browse the root of the share; however, they are denied access to the network share itself with only these permissions and so cannot drill down to the subfolder they need access to.

My goal is to grant only the absolute minimum permissions necessary for folder traversal of the root of the network share.

Ideally, I want any new folders created in the root of this share by other users to automatically restrict access to the user in question (so new folders should not inherit traversal permissions for the user).

Here are the NTFS options I have to choose from:

enter image description here

Just to be clear: the reason I am not simply using explicit deny permissions on the other subfolders is because I need any new subfolders created by staff to automatically inherit permissions which prevent the new user from accessing them.

I've never used the traversal permissions before, so am most likely making a basic mistake here.

Any advice would be appreciated.

joeqwerty
  • 111,849
Austin ''Danger'' Powers
  • 1,160

2 Answers2

7

You want Traverse Folder and List Folder like you've listed and you want to set the drop down at the top to This folder only. Then you need to set whatever other permissions you want that user to have on the explicit subfolder that they should have access to.

If you can't get into the root folder with what you've posted, it's likely because of the folder's share permissions and not the NTFS permissions - double check those.

MDMarra
  • 101,323
5

All users have the Bypass Traverse Checking user right by default, so my suggestion would be to not assign the permissions for the user the way you have but instead to assign the permissions for the user only on the file you need them to access and then give them a shortcut to that file. That will allow them to access the file without having to directly navigate through the shared folder to find the file.

http://technet.microsoft.com/en-us/library/cc739389(v=ws.10).aspx

If you need them to directly traverse/browse the shared folder structure then you'll have to do it the way MDMarra suggested in his answer.

joeqwerty
  • 111,849