I agree with Jim, but I note that we often have problems with people who just can't handle that they can't navigate the structure to the file. Assuming there is no sensitivity to the filenames in the intermediate directories, another option here would be to give the new group permissions to just list the directory at the share level (A1-from where it inherits down), and then add the higher needed permissions at the D4 level.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Tuesday, November 14, 2017 12:02 PM To: '[email protected]' Subject: RE: [NTSysADM] Accessing only a lower level folder in a share ABE won't do that, it just controls what they see....it just hides what they don't have read access to. Great feature, I use it everywhere but not what you need for this. Break inheritance on D4, add the group for the new users and create a shortcut for them directly to that path. \\server\B2\C3\D4 I am assuming B2 is shared here. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Leone Sent: Tuesday, November 14, 2017 11:51 AM To: [email protected] Subject: [NTSysADM] Accessing only a lower level folder in a share It's been so long since I've had to do this, I need a check. I'm doing something fundamentally wrong, I think. We use groups to set share/ACLs on folders. I got a request to share a 4th level sub-folder with other employees not in the ACL. So what I have is: Folder A1 (shared) -->>B2 -->>C3 -->> D4 (this is the one I want to allow access to) Now, the share permissions on A1 is for DevelopmentGroup, and the NTFS permissions are the same. Those permissions just flow down to B2, C3 and D4 (i.e., normal inheritance). Now, I'm pretty sure the only way to allow access to only D4, and not allow access to B2 and C3 or even see files there, is to enable ABE. But I've never done that, and am leery of enabling it in production, without a whole more testing and forethought (I shudder to think of all the help desk calls, if I get something wrong). Am I correct that only ABE will do what I am thinking of (allow access only to D4 and hide contents of A1, B2, C3)? Barring ABE, there's nothing I can do, short of granting a new group access to D4, and living with the consequences? Thoughts? At this point, I want to just add the new group to the NTFS permissions of D4 only, and live with the fact that these new group members can see everything higher up.
