One of our client has domain controller which they also using as File server. Client is running Windows 2008 and Windows 2003 server. All Domain controllers are Windows 2008.
There is one folder called book on Windows 2008 DC. Under book folder there are 5 sub folders. Client requirement was
1- Group A - full access on book folder and all sub folders (sub1, sub2,sub3, sub4,sub5)
2- Group B - modify access to book folder and all sub folders except for one sub folder called sub1 (Group B should not even read contents inside sub1)
3- Group C - Read access to book folder and the files stored directly under book folder . Read access to 3 subfolders (sub3,sub4,sub5). No access at all to sub1 and sub2
We created 3 group for achieving our goal
We start with removing all existing permissions on book folder and then disabled inheritance. Afterwards, Group A was provided full access to Book folder,
Group B was provided Modify access to book folder, Group C was provided Read, Read and Execute and List folder to book folder.
On sub1; disabled inheritance and group A was provided full access
on Sub folder sub2, disabled inheritiance then group A was granted full access and group B was provided Modify access
on sub folders sub3,sub4 and sub5 - does not disable inheritance
We achieved client requirements, as testing showed users were able to access files according to client's anticipation.
We then started leveraging Acess based enumeration and find we not able to achieve our goals. We wanted that Group C should not even not able to view sub1 and sub2 as they do not have any access to these folders. But we found members of group c can view these folders.
We ensure ABE is enabled on book folder. As sub1,sub2,sub3,sub4 and sub5 are not shared. These folders are subfolder of main share book, i think we can not enable ABE on these individual folder.
Please assist. Do we need to edit any thing in our share or NTFS permission to leverage ABE?