file sharing permissions

  • Thread starter Thread starter nutmucker
  • Start date Start date
N

nutmucker

We have just migrated file and print services from Netware to Win2K and I
have tried to keep the same setup as much as possible re mapped drives.
However, there is a 'problem' with folders being displayed that cannot be
accessed:

dir1 is shared to all. off dir1 comes the different dept drives (eg dev,
sales).
so, if a dev user logs in, he/she should only see the dev dir under dir1.
unfortunately, the sales drive is still displayed though it is not
accessible.

Any ideas on what security/sharing I require? Have been mucking around
with things for hours and hours with no luck.
Any comments appreciated.
 
nutmucker said:
We have just migrated file and print services from Netware to Win2K and I
have tried to keep the same setup as much as possible re mapped drives.
However, there is a 'problem' with folders being displayed that cannot be
accessed:

dir1 is shared to all. off dir1 comes the different dept drives (eg dev,
sales).
so, if a dev user logs in, he/she should only see the dev dir under dir1.
unfortunately, the sales drive is still displayed though it is not
accessible.

Any ideas on what security/sharing I require? Have been mucking around
with things for hours and hours with no luck.
Any comments appreciated.
Click to expand...

This is a very frequently-asked question here. The simple answer is that
you can't obtain the behavior you want in the Windows environment. But it
may be worthwhile explaining why.

NTFS (and most Unix-style filesystems) have a directory structure in which
access-control data is associated with a file's (or directory's) 'inode'
(MFT entry in NTFS) rather than embedded in its directory entry. One reason
for this is that this information must be accessible from any of possibly
multiple paths ('hard links') to the file - even though the vast majority of
files have only a single such path.

Therefore, in order to be able to suppress listing files or directories to
which a given user was not allowed access, all the file/directory inodes in
the directory would have to be visited (normally requiring at least one
separate disk access for each, plus a second if the target's access control
list is too large to be embedded in the inode). Given that an average
random disk access takes 5 - 12 milliseconds, a directory containing 1,000
files would take 5 - 12 seconds just to list (and one containing 1,000,000
files would take 1.5 - 3.2 *hours* to list): while such large directories
are rare, they do exist - and even the extra overhead of listing much
smaller directories would still be a potential problem.

- bill
 
thanks for explanation Bill. And for the closure - I know now not to waste
any more time.
Cheers again
 
Back
Top