SBS2012 - Secure Shared Folder issue

TeaLeaf · September 19, 2018, 11:17:18 AM

Hi folks

We have an IT chap at the office (a mate of a colleague) who is potentially more a fixer of computers than a server manager. He's having issues getting a secure folder share to work (ie a list of specific domain users/group have access to a folder but other users cannot access) and sent the below email to our office manager. I know it is perfectly possible but it might be outside of his experience as to how to fix, and blaming the antivirus software and offering a NAS solution seems to avoid the issue rather than understand the problem and fix it.

Can anyone point me in the right direction? Failing that, I need to talk to a colleague about the skill set of his friend, which is an awkward conversation at best.

QuoteI have tried repeatedly to enable the share access required but each time I enable the service on the server management software it denies the folder share, it also says there are service issues. I have also tried through advanced file sharing but in every case it has been an â€˜all-accessâ€™ or â€˜all non-accessâ€™ result. This is normally a very simple set up through Server Management.

This could be an antivirus/security issue and may be being blocked by AVG security.
Without disrupting your working week as playing with permissions can affect all users.

I do have an alternative answer and that is by the use of a NAS drive, linked into your network as a secure access storage drive. Users and permissions can be created and managed easily. Alternatively the answer is for a new Server replacing the 2012 small business server. There are many advantages to a NAS drive including additional storage as well as a mirrored backup onto a second drive which is automatic, it also has a trash folder so even deletions can be undone. A 2TB NAS is around Â£200

albert · September 19, 2018, 12:59:50 PM

Windows permissions are fraught with inconsistencies and dangers! Is this the first time of actually trying to implement a group to control access?

TeaLeaf · September 19, 2018, 01:06:14 PM

I think it is his first attempt to set up the secure shares, so probably yes to the group permission access. I'm afraid I know little more of how they use that particular server as I keep all of my data on different systems.

albert · September 19, 2018, 03:53:39 PM

Maybe this is a decent topic to hand to him as a possibility:

https://community.spiceworks.com/topic/1531858-shared-folder-permission-does-not-work

There are a few things required in order to allow specific domain users access to a folder and it's content for read only and read write, then make the access they have granular. I think the two best replies on this topic hit the general problems pretty well.

TeaLeaf · September 19, 2018, 05:51:35 PM

Thanks Albert, I'll send it over and see if it helps him!

Evilntwisted · September 19, 2018, 06:13:51 PM

This is one of those could be anything issues. However SBS2012 will have sharing enabled by default and he could just be going the wrong way about it. Start off in Computer Management of the server and then Right click and new share. Follow the wizard and then there is a section on security which you can lock down by users which I assume have already been populated in AD.

[ATTACH=CONFIG]4636[/ATTACH]

Penfold · September 19, 2018, 06:20:40 PM

I know little of such heady matters.

Perhaps it woud be easier to have dropbox for business where you can do that sharing and priviledges stuff.

sulky_uk · September 19, 2018, 11:01:45 PM

Quote from: Penfold;434503I know little of such heady matters.

like the man who fills my moat... one wonders how he achieves this.. pen was heard to mutter

faust82 · September 22, 2018, 09:29:45 PM

Windows shares have a two component/layer security approach.
First there's access to the actual share. That means nothing if you don't also have access to the folder/file itself.

The thinking behind it is that some users need local access but not remote access.
For most use cases on a file server, this is just daft. Since folder security overrules share security, we normally allow access to the share for everyone. Then we allow or deny access on the actual files and folders instead.
With a somewhat modern variant of Windows Server you even get access based enumeration, meaning that the user will only see the files and folders they have access to. That makes it very easy to do department shares for instance, with the share just called "Department" or similar, with each department having their own subfolder. A user browsing the share will only see the folders they're listed for (for instance a manufacturing engineer seeing both the Manufacturing and the Engineering folder, a manufacturing worker only seeing Manufacturing, and the accountant seeing neither).

Nuts and bolts:
Check that the share itself is enabled for "Authenticated Users" (all domain users who have successfully logged in), and then adjust actual file/folder access directly on the folder in the file system.
You can check if the desired user or groups have access using the "effective permissions" check under "Advanced" in file/folder security.

Sent from my SM-G965F using Tapatalk