I have a Windows server and so far shared a folder D:\AAA
as "ShareRW" with full share permissions ("Everyone - Full") and some stricter NTFS permissions as required on and below that folder; for example, UserX has full access to D:\AAA\BBB
, read access to D:\AAA\CCC
and cannot even see D:\AAA\DDD
(because it has inheritance disabled and explicit rights only to other users). I checked on the server that the effective rights of UserX are indeed as desired.
Now I wanted to add the option to "mount -r" the same content and therefore created a second share with a different name "ShareRO" on the same folder and with only "Everyone - Read" permissions (and of course with the same old NTFS permisssions).
Now my UserX does both NET USE W: \\server\ShareRW
and NET USE R: \\server\ShareRO
. I expected R: to look the same as W:, except that writing/changing is not allowed. But reality begged to differ:
- The user can change stuff in
W:\BBB
, they can read stuff inW:\CCC
, and they do not even see thatW:\DDD
exists - The user can read stuff in
R:\BBB
, they can read stuff inR:\CCC
, but they see thatR:\DDD
exists and some metadata (size, creation date) though they cannot open it.
What am I doing wrong here?
You miss the setting "Enable access-based enumeration" on the second share properties. It's a per-share settings.
See that as an example;