• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Access based enumeration ?

C

Cindy

#1
I have just turned this on for our 2003 file server... but am surprised that
it seems to be working for only the immediate level under each share.... Is
that a limitation of the tool - or do I have something set wrong???
I also have staff with shortcuts to files - (that are in folders they do not
have rights to) - now with ABE enabled, they are getting a "can not find
path" error -
ANY recommendations would be greatly appreciated... any work arounds that
we can do.
We are also in the process of migrating the remainder of our Novell network
over to AD soon - this will definitely make that task more complicated.
Thanks in advance for your time and for sharing your knowledge!!
Cindy B
 

My Computer

D

DaveMills

#2
On Thu, 1 Apr 2010 13:27:01 -0700, Cindy <benedett@newsgroup> wrote:

>I have just turned this on for our 2003 file server... but am surprised that
>it seems to be working for only the immediate level under each share.... Is
>that a limitation of the tool - or do I have something set wrong???
It works on files and folders below the top. Is that what you mean. I cannot say
if you have configured things wrong since you have not said how you have
configured it.


>I also have staff with shortcuts to files - (that are in folders they do not
>have rights to) - now with ABE enabled, they are getting a "can not find
>path" error -
I presume you are relying on these links working even though the is not access
to the folders in the path, i.e. not checking the permission on the path being
traversed. I am not surprised that ABE changed this. You probably need to grant
Execute access or maybe Read/Execute.

>ANY recommendations would be greatly appreciated... any work arounds that
>we can do.
>We are also in the process of migrating the remainder of our Novell network
>over to AD soon - this will definitely make that task more complicated.
>Thanks in advance for your time and for sharing your knowledge!!
>Cindy B
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
 

My Computer

C

Cindy

#3
ABE seems to be working only on the level immediately below the share that
has ABE enable... it does not work seem to work on the subdirecties??
So if the share is level A -- they do not have rights to B -- but they do
have rights to C -- how can I make that work? Before we had shortcuts that
could get them directly to C (without navigating) - not they are getting
denied.
Here is a post I found... IS this correct???
****
Well ABE works, but… Here’s the surprising part: it only works for 1st level
folders. Meaning that if a user has access to folder C that is in folder B,
to which that user does not have access, he will not see folder B (and
therefore C as well). This is obvious when you take into account NTFS design:
a user needs traverse permission to be able to reach C via direct path (B/C)
and List folder contents permission to reach C by browsing to B. The only
solution is to grant the user List folder content access to all folders.
However with that, we end up in the starting point where the user sees all
available shares instead of those he only has permissions to.
This means that when migrating from Novell we will often have to do some
re-design of the folder access approach, e.g. scripts mapping the drives by
group membership, redesigning the folder structure to a more flat hierarchy
and then use ABE.
***
--
Cindy B


"DaveMills" wrote:

> On Thu, 1 Apr 2010 13:27:01 -0700, Cindy <benedett@newsgroup> wrote:
>

> >I have just turned this on for our 2003 file server... but am surprised that
> >it seems to be working for only the immediate level under each share.... Is
> >that a limitation of the tool - or do I have something set wrong???
>
> It works on files and folders below the top. Is that what you mean. I cannot say
> if you have configured things wrong since you have not said how you have
> configured it.
>
>

> >I also have staff with shortcuts to files - (that are in folders they do not
> >have rights to) - now with ABE enabled, they are getting a "can not find
> >path" error -
> I presume you are relying on these links working even though the is not access
> to the folders in the path, i.e. not checking the permission on the path being
> traversed. I am not surprised that ABE changed this. You probably need to grant
> Execute access or maybe Read/Execute.
>

> >ANY recommendations would be greatly appreciated... any work arounds that
> >we can do.
> >We are also in the process of migrating the remainder of our Novell network
> >over to AD soon - this will definitely make that task more complicated.
> >Thanks in advance for your time and for sharing your knowledge!!
> >Cindy B
> --
> Dave Mills
> There are 10 types of people, those that understand binary and those that don't.
> .
>
 

My Computer

D

DaveMills

#4
You leave too many items undefined for anyone to answer. You need to specify the
exact DFS and UNC paths and exactly which servers have ABE enabled.

For example if you enable ABE on SrvA which has share ShareA and then set up DFS
as \\Domain\Root\ShareA pointing to \\SrvA\ShareA but do not enable ABE for the
DFSRoot servers the users will see \\Domain\Root\ShareA even though they have no
access (it is the DFS links that ABE enumerates). On the other hand if you
enable ABE on the DFS server but not at the link target you may get what you are
describing.


On Mon, 5 Apr 2010 09:28:32 -0700, Cindy <benedett@newsgroup> wrote:

>ABE seems to be working only on the level immediately below the share that
>has ABE enable... it does not work seem to work on the subdirecties??
>So if the share is level A -- they do not have rights to B -- but they do
>have rights to C -- how can I make that work? Before we had shortcuts that
>could get them directly to C (without navigating) - not they are getting
>denied.
>Here is a post I found... IS this correct???
>****
>Well ABE works, but… Here’s the surprising part: it only works for 1st level
>folders. Meaning that if a user has access to folder C that is in folder B,
>to which that user does not have access, he will not see folder B (and
>therefore C as well). This is obvious when you take into account NTFS design:
>a user needs traverse permission to be able to reach C via direct path (B/C)
>and List folder contents permission to reach C by browsing to B. The only
>solution is to grant the user List folder content access to all folders.
>However with that, we end up in the starting point where the user sees all
>available shares instead of those he only has permissions to.
>This means that when migrating from Novell we will often have to do some
>re-design of the folder access approach, e.g. scripts mapping the drives by
>group membership, redesigning the folder structure to a more flat hierarchy
>and then use ABE.
>***
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
 

My Computer

Users Who Are Viewing This Thread (Users: 1, Guests: 0)