Hello,

I am having issue with the NTFS security on files and folders.  I have set up a shared folder for all the users who log on to domain.  Under this share are user specific folders for their documents.  These are personal folders (not shared) and are NOT supposed to be available to one another.  The shared folder has 'Full Control' share permission and Authenticated users and Domain users have Read & Write NTFS permissions.

The personal folder have only the user (that folder belongs to) with Read and Write NTFS permissions.

However, all users can still access one anothers files i.e. view, modify or delete them. 

I have tried removing Inheritance but to no avail.  When I check effective permissions for one user against the other.  It tells me that they all have Full Control permission.

This issue is with all my clients with Server 2012/2012 R2.

Obviously, I am missing something major.

Can someone show me the right path?

Ive tried to keep the post as brief as I could.  Please let me know if you need more information.

Thank you so much for your help.

Parm J

Here is a good step-by-step on configuring shares. http://blogs.technet.com/b/keithmayer/archive/2012/10/21/ntfs-shared-folders-a-whole-lot-easier-in-windows-server-2012.aspx You might want to consider looking into access-based enumeration.

I've long kept this link in my favorite and I believe it should still be relevant.

How IT Works: NTFS Permissions

https://technet.microsoft.com/en-us/magazine/2005.11.howitworksntfs.aspx

Personally I would set up a brand new folder structure and following the article to make sure it works as stated before making changes to a production folder. HTH.

• Proposed as answer by my public name Friday, August 28, 2015 12:50 AM

Hello Tim,

I tried the Server Manager method on all the sites I am having this problem.  Unfortunately, it gave me the same results even with 'Access-based Enumeration' enabled.  All users still have full control.  I even set up a brand new 2012 server as Hyper-V virtual machine and tried setting up permission on it using Server Manager but no luck.

The only way I can accomplish explicit permissions for one user is by 'Denying' permissions to all other users which is not a proper way about it.

Any other advice will be appreciated.

Thank you so much.

Parm :)

Thank you for the response.

I read the article.  I know 'Deny' permission etc. can be tricky.  I'm not dealing with a big directory tree.  I am creating a share right on the root of C: or D: drive.  Any folder under this share are to be set up with explicit permissions based on individual user.  Regardless how I go about creating a share, all users have 'Full Control' permission to all sub-folders.

It is quite perplexing.

Any other ideas will be greatly appreciated.

Parm :)

First of all, make sure that the NTFS level of
- only the user (that folder belongs to) with Read and Write NTFS permissions
- No other group and user has permission

Moreover, you may change user folder owner as the user.

Roger

• Edited by System Center guyMicrosoft community contributor 21 hours 2 minutes ago

Thank you for your response, Roger.

I have tried giving the user explicit NTFS permission to user's folder. I also tried removing any inheritance from the parent folder but had no success.

I tried making the user owner of the folder still no luck.  All users have 'Full Control' NTFS permissions on every  user's folder.

Any other ideas?

Thank you so much.

Parm :)

Another option may be the group policy. You may check the effective group policy under

Computer configuration\Policies\Windows Setting\Security Settings\File System

Moreover, would your mind the screenshot of the folder permission tab.

Roger

• Edited by System Center guyMicrosoft community contributor 3 minutes ago