NTFS Permissions Required To Give User Modify on Deeply Nested Folder

A user logs in and maps a network share to the Y: drive. I want the user
to have Modify access to a deeply nested folder:

y:\some\folder\down\targetfolder

and I do not want the user to have read access to any folders higher up.
Is it possible to do this with NTFS?

I assign the NTFS Modify permission on "targetfolder", but the user cannot
get even read access to "targetfolder" unless I also give a read-only access
to the root of Y:.

Bypass Traverse Checking is Enabled on both the client and the file server.

Any guidance on how to get as close as possible to what I want to achieve
here is appreciated.

--
Will

Will,
have you considered using Access Based Enumeration? Even though this won't
give you exactly what you need, it will limit visibility of any
subfolders/files along the path to the nested subfolder...

hth
Marcin

"Marcin" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> have you considered using Access Based Enumeration? Even though this won't
> give you exactly what you need, it will limit visibility of any
> subfolders/files along the path to the nested subfolder...

Once the file server migrates to Windows 2003 then yes we will do that, but
that's a different issue: visibility of root folders versus minimum
permissions required on root folders in order to secure Modify access to a
deeply nested folder.

I take your response to be an implicit "no" to my question, and you must
give at least read only access to all folders above the deeply nested folder
in order for Modify access to work correctly for the target folder?

My original question is copied below.

--
Will



A user logs in and maps a network share to the Y: drive. I want the user
to have Modify access to a deeply nested folder:

y:\some\folder\down\targetfolder

and I do not want the user to have read access to any folders higher up.
Is it possible to do this with NTFS?

I assign the NTFS Modify permission on "targetfolder", but the user cannot
get even read access to "targetfolder" unless I also give a read-only access
to the root of Y:.

Bypass Traverse Checking is Enabled on both the client and the file server.

Any guidance on how to get as close as possible to what I want to achieve
here is appreciated.

--
Will

"Will" wrote:

> "Marcin" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > have you considered using Access Based Enumeration? Even though this won't
> > give you exactly what you need, it will limit visibility of any
> > subfolders/files along the path to the nested subfolder...
>
> Once the file server migrates to Windows 2003 then yes we will do that, but
> that's a different issue: visibility of root folders versus minimum
> permissions required on root folders in order to secure Modify access to a
> deeply nested folder.
>
> I take your response to be an implicit "no" to my question, and you must
> give at least read only access to all folders above the deeply nested folder
> in order for Modify access to work correctly for the target folder?
>
> My original question is copied below.
>
> --
> Will
>
>
>
> A user logs in and maps a network share to the Y: drive. I want the user
> to have Modify access to a deeply nested folder:
>
> y:\some\folder\down\targetfolder
>
> and I do not want the user to have read access to any folders higher up.
> Is it possible to do this with NTFS?
>
> I assign the NTFS Modify permission on "targetfolder", but the user cannot
> get even read access to "targetfolder" unless I also give a read-only access
> to the root of Y:.
>
> Bypass Traverse Checking is Enabled on both the client and the file server.
>
> Any guidance on how to get as close as possible to what I want to achieve
> here is appreciated.
>
> --
> Will
>
>
A user has to have read access to the folder to navigate down the tree, but
not to the files in that intermediate folder folder.

The NTFS security permissions allow this specific option.

But make sure you control inherited permissions, and those derived from
group membership as well.

So to restrict access, you would allow non-Admins this limited permission to
the top-level folder, turn on inheritance, and then descend the tree and add
specific read or write permission where you want to.
Provided you do not use 'Deny' ther resultant permission is the logical OR
of inherited and specific permissions.

--
Regards
Newell White