What feature of Windows Server prevents users from seeing shared files and folders they do not have permission to access?

Applicable Products:

• Shared Folders

Configure shared folders

1. Go to Control Panel > Privilege > Shared folders >Shared folder

   • Create Shared folder

     1. Click "Create" > "Shared Folder"

     2. Enter the basic folder settings.

        • Folder name: Enter the share name. The share name does not support " / \ [ ] : ; | = , + * ? < > ` '
        • Description: Enter an optional description of the shared folder.
        • Disk Volume: Select which disk volume on which to create the folder.

     3. Select the way you want to specify the access right to the folder and specify the guest access right.

     4. If you select to specify the access right by user or user group, you can select to grant read only, read/write, or deny access to the users or user groups.

     5. Folder Encryption

     6. Configure advanced folder settings

        • Guest Access Right: Assign guest access rights of the folder.

        • Hide network drive: Select to hide the shared folder or not in Microsoft Networking. When a shared folder is hidden, you have to enter the complete directory \NAS_IP\share_name to access the share.

        • Lock File (Oplocks): Opportunistic locking is a Windows mechanism for the client to place an opportunistic lock (oplock) on a file residing on a server in order to cache the data locally for improved performance. Oplocks is enabled by default for everyday usage. For networks that require multiple users concurrently accessing the same file such as a database, oplocks should be disabled.

        • SMB Encryption: This option is available only when SMB3 is enabled. Selecting this option encrypts all Microsoft network communication on the SMB3 protocol

        • Enable Windows Previous Versions:When enabled, the Previous Versions feature in Windows can be used with the shared folder.

        • Enable Network Recycle Bin: Enable the Network Recycle Bin for created shared folders.

        • Restrict the access of Recycle Bin to Administrators only for now:This option is available only when Network Recycle Bin is enabled. Selecting this option prevents non-administrator users from recovering and deleting files in the Recycle Bin.

        • Enable write-only access on FTP connection: Selecting this option gives the administrator exclusive read and write access to the shared folder. Non-administrator users connected through FTP only get write access.

        • Only allow applications to access files using the long file name format:When selected, applications can only use the long file name (LFN) format to access files in the shared folder

        • Enable sync on this shared folder: Selecting this option allows this shared folder to be used with Qsync.

        • Enable access-based shared enumeration (ABSE):When enabled, users can only see the shared folders that they have permission to mount and access. Guest account users must enter a username and password to view shared folders.

        • Enable access-based enumeration (ABE):When enabled, users can only see the files and folders that they have permission to access.

        • Set this folder as the Time Machine backup folder(macOS):When enabled, the shared folder becomes the destination folder for Time Machine in macOS

     7. Confirm the settings and click "Create".

   • Delete a shared folder,

     1. select the folder checkbox

     2. click "Remove".

        Note: You can select the option "Also delete the data (mounted files will not be deleted)" to delete the folder and the files in it. If you select not to delete the folder data, the data will be retained in the NAS. You can create a shared folder of the same name again to access the data.

Icon	Name	Description
	Folder Property	Edit the folder property. Select to hide or show the network drive, enable or disable oplocks, folder path, comment, restrict the access of Recycle Bin to administrators (files can only be recovered by administrators from the Network Recycle Bin) and enable or disable write-only access on FTP connection.
	Folder Permissions	Edit folder permissions and subfolder permissions.
	Refresh	Refresh the shared folder details.

Folder Permissions

Configure folder and subfolder permissions on the NAS. To edit basic folder permissions,

1. Locate a folder name in Control Panel > Privilege > Shared Folders
2. Click "Folder Permissions". The folder name will be shown on the left and the users with configured access rights are shown in the panel. You can also specify the guest access right at the bottom of the panel.
3. Click "Add" to select more users and user groups and specify their access rights to the folder. Click "Add" to confirm.
4. Click "Remove" to remove any configured permissions. You can select multiple items by holding the Ctrl key and left clicking the mouse. Click "Apply" to save the settings.

Subfolder Permissions

QTS supports subfolder permissions for secure management of the folders and subfolders. You can specify read, read/write, and deny access of individual user to each folder and subfolder. To configure subfolder permissions, follow the steps below:

1. Enable Advanced Permissions

   1. Go to Control Panel > Privilege > Shared Folders > Advanced Permissions
   2. Select Enable Advanced Folder Permissions
   3. click Apply.

2. Edit Subfolder permissions

   1. Go to Control Panel > Privilege > Shared Folders > Shared folders
   2. Select a root folder, for example Public
   3. Click Folder Permissions. The shared folder name and its first-level subfolders are shown on the left. The users with configured access rights are shown in the panel, with special permission below.
   4. Double click the first-level subfolders to view the second-level subfolders.
   5. Select the root folder.
   6. Click Add to specify read only, read/write, or deny access for the users and user groups.

3. Click "Add" when you have finished the settings.

4. Specify other permissions settings below the folder permissions panel.

   • Guest Access Right: Specify to grant full or read only access or deny guest access.
   • Owner: Specify the owner of the folder. By default, the folder owner is the creator.

5. To change the folder owner, click the "Folder Property" button next to the owner field.

1. Select a user from the list or search a username. Then click "Set".

   • Only the owner can delete the contents: When you apply this option to a folder, only the folder owner can delete the first-level subfolders and files. Users who are not the owner but possess read/write permission to the folder cannot delete the folders. This option does not apply to the subfolders of the selected folder even if the options "Apply changes to files and subfolders" and "Apply and replace all existing permissions of this folder, files, and subfolders" are selected.
   • Only admin can create files and folders: This option is only available for root folders. Select this option to allow admin to create first-level subfolders and files in the selected folder only.
   • Apply changes to files and subfolders: Apply permissions settings except owner protection and root folder write protection settings to all the files and subfolders within the selected folder. These settings include new users, deleted users, modified permissions, and folder owner. The options "Only the owner can delete the contents" and "Only admin can create files and folders" will not be applied to subfolders.
   • Apply and replace all existing permissions of this folder, files, and subfolders: Select this option to override all previously configured permissions of the selected folder and its files and subfolders except owner protection and root folder write protection settings. The options "Only the owner can delete the contents" and "Only admin can create files and folders" will not be applied to subfolders.
   • Special Permission: This option is only available for root folders. Select this option and choose between "Read only" or "Read/Write" to allow a user to access to all the contents of a folder irrespectively of the pre-configured permissions. A user with special permission will be identified as "admin" when he/she connects to the folder via Microsoft Networking. If you have granted special permission with "Read/Write" access to the user, the user will have full access and is able to configure the folder permissions on Windows. Note that all the files created by this user belong to "admin". Since "admin" does not have quota limit on the NAS, the number and size of the files created by users with special permission will not be limited by their pre-configured quota settings. This option should be used for administrative and backup tasks only.

2. After changing the permissions, click "Apply" and then "YES" to confirm.

Note:

• You can create maximum 230 permission entries for each folder when Advanced Folder Permission is enabled.

• If you have specified "deny access" for a user on the root folder, the user will not be allowed to access the folder and subfolders even if you select read/write access to the subfolders.

• If you have specified "read only access" for a user on the root folder, the user will have read only access to all the subfolders even if you select read/write access to the subfolders.

• To specify read only permission on the root folder and read/write permission on the subfolders, you must set read/write permission on the root folder and use the option "Only admin can create files and folders" (to be explained later).

• If an unidentified account ID (such as 500) is shown for a subfolder on the permission assignment page after you click the "Access Permissions" button next to a shared folder in Control Panel >Privilege Settings > Shared Folders > Shared Folder, it is likely that the permission of that subfolder has been granted to a user account that no longer exists. In this case, please select this unidentified account ID and click "Remove" to delete this account ID.

Microsoft Networking Host Access Control

The NAS folders can be accessed via Samba connection (Windows) by default. You can specify the IP addresses and hosts which are allowed to access the NAS via Microsoft Networking. Follow the steps below to set up:

1. Click "Folder Permissions".
2. Select "Microsoft Networking host access" from the drop-down menu on top of the page.
3. Specify the allowed IP addresses and host names. The following IP address and host name are used as example here:

• IP address: 192.168.12.12 or 192.168..
• Host name: dnsname.domain.local or *.domain.local

1. click "Add" to enter the IP address and host name and then "Apply".

Notifications on characters used:

• Wildcard characters: You can enter wildcard characters in an IP addr ess or host name entry to represent unknown characters.
• Asterisk (): Use an asterisk () as a substitute for zero or more characters. For example, if you enter *.domain.local, the following items are included: a.domain.local, cde.domain.local, or test.domain.local
• Question mark (?): Use a question mark (?) as a substitute for only one character. For example, test?.domain.local includes the following: test1.domain.local, test2.domain.local, or testa.domain.local

When you use wildcard characters in a valid host name, dot (.) is included in wildcard characters. For example, when you enter *.example.com, "one.example.com" and "one.two.example.com" are included.

Folder Aggregation

You can aggregate the shared folders on Microsoft network as a portal folder on the NAS and let the NAS users access the folders through your NAS. Up to 10 folders can be linked to a portal folder. To use this function, follow the steps below:

1. Enable folder aggregation.
2. Click "Create a Portal Folder".
3. Enter the portal folder name. Select to hide the folder or not, and enter an optional comment for the portal folder.
4. Click the "Link Configuration" button under "Action" and enter the remote folder settings. Make sure the folders are open for public access.
5. Upon successful connection, you can connect to the remote folders through the NAS.

Note:

• Folder Aggregation is supported only in Microsoft networking service and recommended for a Windows AD environment.
• If there is permission control on the folders, you need to join the NAS and the remote servers to the same AD domain.

Advanced Permissions

"Advanced Folder Permissions" and "Windows ACL" provide subfolder and file level permissions control.

Advanced Folder Permissions

Use "Advanced Folder Permissions" to configure subfolder permissions directly from the NAS UI. There is no depth limitation for the subfolder permissions. However, it is highly recommended to change the permissions only on the first or second level of the subfolders. When "Advanced Folder Permissions" is enabled, click the "Folder Permissions" button under the "Shared Folders" tab to configure the subfolder permission settings. See Shared Folders" > "Folder Permission of this section for details.

Windows ACL

Use "Windows ACL" to configure the subfolder and file level permissions from Windows File Explorer. All Windows Permissions are supported. For detailed Windows ACL behavior, please refer to standard NTFS permissions: http://www.ntfs.com/#ntfs_permissTo assign subfolder and file permissions to a user or a user group, full control share-level permissions must be granted to the user or user group.

Tip:

• How to replicate the files with windows acl from windows file server to nas
• How to configure NAS shared folder/subfolders permissions in Windows Client?

When Windows ACL is enabled while "Advanced Folder Permissions" are disabled, subfolder and file permissions will have effect only when accessing the NAS from Windows File Explorer. Users connecting to the NAS via FTP, AFP, or File Station will only have share-level permissions.

When Windows ACL and Advanced Folder Permissions are both enabled, users cannot configure Advanced Folder Permissions from the NAS UI. The permissions (Read only, Read/Write, and Deny) of Advanced Folder Permissions for AFP, File Station, and FTP will automatically follow Windows ACL configuration.

Last modified date: 2022-08-09

Was this article helpful?

20% of people think it helps.

Thank you for your feedback.