Creating Share Within A Share

By Aakash Shah ·
Is it safe to create a share within a share? So, let's say I have a path c:\parent1\child1. Parent1 is set up to be a share as well as child1. So, we have:

I have been able to set this up, but I don't know if MS recommends against this procedure since I was unable to find any resources about this. Windows uses this in an AD environment for the SYSVOL and NETLOGON shares where the NETLOGON share is actually a subfolder of SYSVOL. However, I am unsure whether this is a recommended procedure for file servers.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

maybe not recommended, but it serves a purpose

In the above sample, \parent1 might be shared RW to all managers, and \child1 might be shared RO to all non-managerial employees. The \parent1 share might have payroll data (confidential), and the \child1 share might have work assignments (not confidential) that you want the managers to be able to write to.

I typically might set up a folder scheme on a server like this:


I might have a shares called data, sales, accounting, engineering, maufacturing, and \home\bob, \home\jim, \home\sally

Using groups and permissions, EVERYONE gets RW to their own home directories, and to the department that they report to.
The boss gets RW to the whole \data directory, and the bootup script may map a drive letter to %username% and another to \data, and depending on their needs another drive letter to \engineering or whatever.
MFG employees might need to read the engineering files, but not write to them.

The thing about this model is that the admin account can back up \data and everything gets backed up. Also, any new employee can easily find the files they want, and if their groups are set up properly, they won't be able to get into the data that they shouldn't.

Collapse -


by Aakash Shah In reply to maybe not recommended, bu ...

Pete: Hello and thanks for responding! In your network, you said that you may "_might_ have shares called data, sales, accounting, engineering, manufacturing". Can you please confirm whether you do actually have the following shares on your network: "sales", "accounting", "manufacturing" and "home" in addition to "data" where "data" is a parent share of the other shares?

If you do, can you please let me know how long you have had this and from which version of Windows you started using this?

The reason I ask is because this is exactly what I am trying to do and so if you have been using this approach with success for a while , then I would feel more comfortable proceeding with this (after some testing on my network of course :)) since I was unable to find any resources online about this.

Thanks for your suggestion regarding the network permissions. What I do on my network is provide RO permissions at the root folder for std users and RW for managers. Then using the Advanced permissions dialog box, I set the inheritance level down to just the one folder for only the std users security group. Next, I assign individual permissions to each of the child folders for each std user. With this approach, I am able to maintain folder inheritance, allow the managers to access all folders, but allow the std users to only access and make changes to their own folder.


Collapse -

re: Clarification

by formerly In reply to Clarification

I have been doing this on various versions of Windows Server since NT. I am an independent Consultant, and support several clients.
I was using this as a generic example.
One thing to remember, to keep this all neat is to:
1. ONLY assign rights to groups
2. Make sure that everyone is in at least one group, even if they are the only ones there.
3. Make sure that you understand that if two groups have conflicting rights, the server will give them the LEAST amount of access.
For example:
Production group has RW to production folder and has RO to engineering folder.
Engineering group has RO to production, and RW to Engineering.

If Bob is in Engineering and Production, he will get RO access to both areas.
In Bob's case, a group called prod-eng could be created that gets RW to both, but take him out of Prod and Eng.

4. Create an admin group, with an admin user, who has access to all areas. This keeps you from ever getting locked out of everything. This user can be the user that runs backup scripts.

Collapse -


by Aakash Shah In reply to re: Clarification

Thanks for the information!

Related Discussions

Related Forums