Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Access-Base Enumeration ABE with Distributed File System DFS 2003 not working

Posted on 2010-08-30
31
Medium Priority
?
1,071 Views
Last Modified: 2012-05-10
Hi all, I have a Windows Server 2003 R2 server with DFS and ABE on it. I installed ABE and set the appropriate rights on the DFS share. But when normal domain users logon they can see all the shares. I checked that the users are not member of Domain Admins. I checked that the security is set the right way.

What could be the problem?

thank u
0
Comment
Question by:LeonesIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 13
  • 4
31 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556523
Are you sure that folder do not have listed Domain Users group?
Did you enable ABE on share?
0
 

Author Comment

by:LeonesIT
ID: 33556543
Yes: no Domain users are listed on the folder. And ABE is enabled on the share.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556550
So, check in advanced options of security tab in effective permissions for that user if he/she has at least read permissions.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 85

Expert Comment

by:oBdA
ID: 33556597
Follow this article to hide the DFS links:
How to implement Windows Server 2003 Access-based Enumeration in a DFS environment
http://support.microsoft.com/kb/907458
0
 

Author Comment

by:LeonesIT
ID: 33556606
nope, no read permissions for the users/group in the folder(s).
0
 

Author Comment

by:LeonesIT
ID: 33556609
it seems that ABE is not working at all.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556616
OK, please describe me which steps did you do.
0
 

Author Comment

by:LeonesIT
ID: 33556649
Ok. I've got 2 DFS servers: DFS01 and DFS02. The DFS01 was the main DFS server. And DFS02 is the DFS server where all data is copied to. Because of performance issues the DFS02 server is now the main server. Everything, ABE, was already installed, configured and working. But all of the sudden not anymore.


0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556656
Try to re-install ABE on DFS02. It should solve your problem. But before check event logs maybe there is something interesting (hints?)
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556660
OK, it looks like ABE was installed only on DFS01? Install it also on DFS02.
0
 

Author Comment

by:LeonesIT
ID: 33556678
It is installed on the DFS02, when the server got installed.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556703
OK, but where those folders are store physically (on which server DFS02)? If so, try to re-install ABE.
0
 

Author Comment

by:LeonesIT
ID: 33556719
Found something out:

when I access the share on the DFS as follows: \\DFS02\[sharename] it works. I cannot see the folders. But when I access it through the Domain based namespace as follows: \\[domain]\[DFSnamespace] it is not working.

It seems it is a combination of DFS and ABE.
0
 

Author Comment

by:LeonesIT
ID: 33556728
yes the folders and files are stored physically on the DFS02
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556729
Check folder content. It should be invisible. ABE hides shares and data within it. DFS namespaces are not affected by ABE at all.
0
 

Author Comment

by:LeonesIT
ID: 33556739
I can see the folders. But I am not able to access them. The problem is that the folders are visible.

0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556758
Folders are visible or DFS links?
0
 

Author Comment

by:LeonesIT
ID: 33556765
The DFS links
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556795
So, that's the problem. You cannot enable ABE on DFS links, only on shares.

I will try to test some configuration and I will let you know in few minutes :) about results
0
 

Author Comment

by:LeonesIT
ID: 33556805
thanks.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556813
OK, you cannot use it for DFS links at all. I wanted to check something but it didn't solve your problem. Only shares can be used in ABE
0
 
LVL 85

Expert Comment

by:oBdA
ID: 33556822
You *can* hide the DFS links, provided you follow the instructions in the link I posted in http:#a33556597
You *will* need to set permissions on the (replicated) DFS *links* (not the DFS share), matching the DFS target, using the command line.
0
 

Author Comment

by:LeonesIT
ID: 33556830
oBdA, your link is not working.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556840
This link is for home folders and it works fine. Because it is the only one root from one share with many folders. But when you modify permissions on DFS links you will only receive access denied to that link, it won't be hidden :) You need the enable ABE on virtual folder's shares but I don't know how it would work :]
0
 
LVL 85

Expert Comment

by:oBdA
ID: 33556849
I can open the link just fine from this page; what exactly is the error message?
If you can access Google, search for "907458" and "Access Based Enumeration"; should be the first link showing up.
0
 

Author Comment

by:LeonesIT
ID: 33556864
Sorry, I get it. But which CACLs command should be used then for the links?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556933
it looks like it works, but question. Is it worth doing this? A lot of work if something would change in the environment :/

use

cacls <foldername> /t /g:<list of users and their permissions> /c
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556937
sorry <foldername> I meant <DFS link name>
0
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 33556948
As described in the article: "For example, make the ACL on the link the same as the ACL on the target of the link. Therefore, if \\dfs-share\users\johndoe links to a target named \\server1\share1\johndoe, make the ACL on \\dfs-share\users\johndoe the same as the ACL on \\server1\share1\johndoe."
Try the following: on the DFS root, disable inheritance, remove all non-administrative groups. Then add the group "Users" back with Read permissions, but in the Advanced permissions, change the scope to "Apply to this folder only". This can still be done in the GUI.
Create the links, wait for replication.
Then on each DFS server, run
cacls.exe "T:\he\physical\path\to\the\DFSRoot\SomeDFSLink" /e /g "SomeDomain\SomeGroupWithAccessToTheDFSLink":R
0
 

Author Closing Comment

by:LeonesIT
ID: 33557193
Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33557526
Remember to document this action for future troubleshooting. You won't remember in few months that you did something like that :)
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question