Shared Folder Permissions and Visibility

I have created and shared a folder on my server called “Finance”. I have also created a domain local security group called “FinancGroup”. I have set the permissions to only share with the aforementioned security group, given administrators, domain admin, and system full control, and FinanceGroup, has read and change. The FinanceGroup also has Modify, Read & Execute, List folder contents, read, and write. I have created two test users, Test (which is in the security group), and Test2 (which is not in the security group. My issue is that they both can see the folder, although the one that isn’t in the security group cannot open said folder. I want it so that only those in the security group can even see the folder. For everyone else it shouldn’t even be listed. I have already enabled access-based enumeration as well. For the life of me though, I cannot seem to get this to work. :confused:

set the permissions on the parent of the folder you dont want them to see and share that instead?

I don’t think you can selectively hide shares. I’ve never heard of that, I don’t think SMB or CIFS supports that.

I would suggest renaming the folders to something less tasty/interesting, something that will be less attractive. You will find yourself target of sorts if you put something that screams money, unless of course this is a honey pot.

Try other synonyms to hide it in plain sight, particularly from non-english primary speakers: bread, dough, wherewithal, gravy, greenback, specie and so on.

Edit: (more synonyms) dead presidents, draft, note, roll, wad, mite, peanuts, pittance, shoe string, boodle, abundance, means, opulent, see

You can be more creative…

1 Like

I have discovered that if I share only to the FinanceGroup security group, then only the members of that group have access, as it should be, but the moment I add Administrators and Domain Admins to the share, all users somehow have access to the share. Please help! :confused:

That’s quite a different problem from your original post.

You can’t selectively hide shares. You could share a non-descript parent folder, and move the finance subdir into it, effectively “hiding” it. Or you can add a dollar sign to the share name, and use a group policy to map the hidden folder only for members of the approved group.

Now, it sounds like you have an ACL problem, if users not part of a group are able to access folders / files they shouldn’t have access to.

What is an ACL problem? I have never heard of that one. The FinanceGroup security group that I created works as intended, but for some reason the auto generated Domain Admin and Administrators accounts, when added to share, grant domain users the ability to access the folder. This is the issue I am dealing with at the moment. If I only add the FinanceGroup security group to the share, only its members can access it. The issue is that I want at lest Domain Admins, which will only be myself, to have full control of all shared folders on the network.

ACL … Access control list.

The permissions setting for the share should be kept as simple as possible, and really don’t mean much. Control access using permissions on the folder itself.

Under advanced permissions, there is a tab that will let you select an account and evaluate the effective permissions, without needing to log in as various users.

1 Like

Turns out I was an idiot. Somehow Domain Users had been added to the Administrators group. I removed that, and it works as intended. Though I still cannot get Access-Based Enumeration to hide the folders that the user has no access to.

1 Like