Give access to a subdirectory without giving access to parent directories
I have a scenario involving a Windows file server where the "owner" wants to dole out permissions to a group of users of the following sort:
-
\\server\dir1\dir2\dir3: read, write and execute -
\\server\dir1\dir2: no permissions -
\\server\dir1: no permissions -
\\server: read and execute
To my understanding (Update: This entire paragraph is wrong!), it is not possible to do this because Read & Execute permission must be granted to all the parent directories in a directory chain in order for the operating system to be able to "see" the child directories and get to them. Without this permission, you can't even obtain the security context token when trying to access the nested directory, even if you have full access to the subdirectory.
We are looking for ways to get around this, without moving the data from \\server\dir1\dir2\dir3 to \\server\dir4.
One workaround I thought of, but which I am not sure if it will work, is creating some sort of link or junction \\server\dir4 which is a reference to \\server\dir1\dir2\dir3. I am not sure which of the available options (if any) would work for this purpose if the user does not have Read & Execute permission on \\server\dir1\dir2 or \\server\dir1, but as far as I know, the options are these:
- NTFS Symbolic Link,
- Junction,
- Hard Link.
So the questions:
- Are any of these methods suitable to accomplish my goal?
- Are there any other methods of linking or indirectly referencing a directory, which I haven't listed above, which might be suitable?
- Are there any direct solutions that don't involve granting
Read & Executeto\\server\dir1or\\server\dir2but still allowing access to\\server\dir1\dir2\dir3?
Solution 1:
You are mistaken in your original assumption, which renders the rest of your question moot.
The minimum permission that a user would need on dir1 and dir2 is Traverse Directory. This will most likely be problematic to your users, though - so I would recommend Traverse Directory and List Folders. They will be able to navigate through the top two directories and get to dir3 where they have more permissions, but will not even see what files exist in the top two directories.
Permissions like Read & Execute and Modify are just collections of individual permissions. They're the first thing you see, because they're the most commonly used. If you need to get very granular (like this situation), click the Advanced button and dig into the options listed there.
Solution 2:
Amazingly, if the individual has the full path to a subfolder on which they have at least R permissions, they require NO permissions on any of the parent folders, not even traverse. They can simply access it using the UNC. (They must, of course, have read permissions on the share; just not on any folders above the level they want to access).
I didn't believe this when I was told, but testing proves it out.
This is counter to what I thought I knew of permissions in the Windows world, and I suspect will be a surprise to many.
\server\folder1\folder2\folder3
If there are no permissions at all for Bilbo on folder1 and on folder2, but Bilbo has modify (for example) on folder3, \server\folder1\folder2\folder3 will take him right there, no problem.
Solution 3:
One solution similar to MDMarra is set NTFS permissions as follows:
- dir1: Grant List folder contents (Traverse folder/execute file, List folder/read data, Read attributes, Read extended attributes, Read permissions)
- BUT select This folder only for Apply to dropdown
- dir2: Grant List folder contents and Apply to This folder only
- dir3: Grant desired Read/Write permissions and Apply to This folder, subfolders and files or Subfolders and files only
The end result is the user/group can read each individual parent folder and drill down to the child folder without any other folders or files.