ABE Help

Discussion in 'Windows Server' started by Perry, May 1, 2006.

  1. Perry

    Perry Guest

    I really hate to sound stupid here but i'm having an issue controlling access
    to files and folders in a Win2K3 server. I had to transfer everyone's user
    folders from a Novell server to the new 2K3 server and now I have to give
    them exclusive rights to their own user folder. I have a shared folder setup
    called "users" and no matter what I set the rights to all users can still see
    the folder list of the other users. I'm trying to follow this Access-base
    enumeration and i'm kind of stuck on it. I can really use a puch on this one
    if anyone cares to lend a hand. I also need to understand what this is
    trying to do. I come from teh Novell world and granting access rights aren't
    this difficult. Any HELP is rally appreciated. Thanks.

    Perry, May 1, 2006
    1. Advertisements

  2. Perry

    Scott Lowe Guest

    First, note that ABE is only supported with Windows Server 2003 SP1 or
    later. If you haven't yet installed SP1, then ABE won't work.

    Second, ABE only works across the network. If you are viewing files in
    the Users folder locally, you won't see anything.

    Third, ABE doesn't affect administrators. Administrators always see

    Finally, keep inheritance in mind. If you've granted "Read and
    Execute" permission for users on the Users folder (which would
    typically be necessary for them to see the contents of that folder),
    then--by default--those permissions will flow onto the subfolders in
    the Users folder. You have two ways to address that--you can turn off
    inheritance on each subfolder, or you can specify that the permissions
    on the Users folder should only be applied to that folder only. Both
    of these settings can be found on the Advanced Security Settings dialog
    box, accessed by clicking on "Advanced..." on the Security tab of the
    folder's properties dialog box.

    Permissions in the Windows world can be a bit confusing, especially
    when coming from a Novell background. The easiest thing to do is set
    the share permissions (when you shared the folder) to something fairly
    reasonable, like "Users: Modify" or similar (also add a Full Control
    for Administrators). Then lock down the permissions at the file
    system/NTFS level, where you can be much more granular with the
    permissions. The more strict permissions are the permissions that are
    in effect.

    Scott Lowe, May 2, 2006
    1. Advertisements

  3. Perry

    Perry Guest


    Thanks for the reply. Couple things I need clarified though. Currnently I
    have things set the only things that can be seen are folders and NO files
    except the files in their own folders. What am I doing wrong with that. I
    am not really getting this ABE thing. Do I need to do the command line as
    well as the GUI? Am I changeing the SECURITY rights or the share permissions
    or both to use ABE? All that i've tried still give me folder listing in all
    the users folders. What might I be missing? Thanks again for the reply.

    Perry, May 2, 2006
  4. Perry

    Scott Lowe Guest

    You don't need the command-line utility as well as the GUI. Once you
    install ABE, then you need to go to that particular share (the Users
    folder, in this case) and turn on ABE. (Unless you enabled ABE for all
    shares on the system already--but keep in mind that newly-created
    shares don't automatically have ABE turned on.)

    Set the share permissions to be something reasonably loose, like
    Users:Full Control. Once we're sure that things are working as
    expected, we'll go back and tighten that down.

    On the Users folder itself, set the Users group to have Read & Execute,
    and go into the Advanced Security Settings dialog box and set that to
    apply onto this folder only.

    On each of the individual users folders, set permissions to that user
    account only.

    Then, go to a workstation (not from the server!), log in as one of
    these users, and visit the Users shared folder. You should see only
    that user's folder. If you still see other folders, then you need to
    look at the permissions for those folders to make sure that Users or
    Domain Users doesn't have permission. Also, make sure that the account
    you are using to test with is NOT an administrator account.

    Scott Lowe, May 2, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.