Access-Base Enumeration ABE with Distributed File System DFS 2003 not working

Hi all, I have a Windows Server 2003 R2 server with DFS and ABE on it. I installed ABE and set the appropriate rights on the DFS share. But when normal domain users logon they can see all the shares. I checked that the users are not member of Domain Admins. I checked that the security is set the right way.

What could be the problem?

thank u
LeonesITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Krzysztof PytkoSenior Active Directory EngineerCommented:
Are you sure that folder do not have listed Domain Users group?
Did you enable ABE on share?
LeonesITAuthor Commented:
Yes: no Domain users are listed on the folder. And ABE is enabled on the share.
Krzysztof PytkoSenior Active Directory EngineerCommented:
So, check in advanced options of security tab in effective permissions for that user if he/she has at least read permissions.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

oBdACommented:
Follow this article to hide the DFS links:
How to implement Windows Server 2003 Access-based Enumeration in a DFS environment
http://support.microsoft.com/kb/907458
LeonesITAuthor Commented:
nope, no read permissions for the users/group in the folder(s).
LeonesITAuthor Commented:
it seems that ABE is not working at all.
Krzysztof PytkoSenior Active Directory EngineerCommented:
OK, please describe me which steps did you do.
LeonesITAuthor Commented:
Ok. I've got 2 DFS servers: DFS01 and DFS02. The DFS01 was the main DFS server. And DFS02 is the DFS server where all data is copied to. Because of performance issues the DFS02 server is now the main server. Everything, ABE, was already installed, configured and working. But all of the sudden not anymore.


Krzysztof PytkoSenior Active Directory EngineerCommented:
Try to re-install ABE on DFS02. It should solve your problem. But before check event logs maybe there is something interesting (hints?)
Krzysztof PytkoSenior Active Directory EngineerCommented:
OK, it looks like ABE was installed only on DFS01? Install it also on DFS02.
LeonesITAuthor Commented:
It is installed on the DFS02, when the server got installed.
Krzysztof PytkoSenior Active Directory EngineerCommented:
OK, but where those folders are store physically (on which server DFS02)? If so, try to re-install ABE.
LeonesITAuthor Commented:
Found something out:

when I access the share on the DFS as follows: \\DFS02\[sharename] it works. I cannot see the folders. But when I access it through the Domain based namespace as follows: \\[domain]\[DFSnamespace] it is not working.

It seems it is a combination of DFS and ABE.
LeonesITAuthor Commented:
yes the folders and files are stored physically on the DFS02
Krzysztof PytkoSenior Active Directory EngineerCommented:
Check folder content. It should be invisible. ABE hides shares and data within it. DFS namespaces are not affected by ABE at all.
LeonesITAuthor Commented:
I can see the folders. But I am not able to access them. The problem is that the folders are visible.

Krzysztof PytkoSenior Active Directory EngineerCommented:
Folders are visible or DFS links?
LeonesITAuthor Commented:
The DFS links
Krzysztof PytkoSenior Active Directory EngineerCommented:
So, that's the problem. You cannot enable ABE on DFS links, only on shares.

I will try to test some configuration and I will let you know in few minutes :) about results
LeonesITAuthor Commented:
thanks.
Krzysztof PytkoSenior Active Directory EngineerCommented:
OK, you cannot use it for DFS links at all. I wanted to check something but it didn't solve your problem. Only shares can be used in ABE
oBdACommented:
You *can* hide the DFS links, provided you follow the instructions in the link I posted in http:#a33556597
You *will* need to set permissions on the (replicated) DFS *links* (not the DFS share), matching the DFS target, using the command line.
LeonesITAuthor Commented:
oBdA, your link is not working.
Krzysztof PytkoSenior Active Directory EngineerCommented:
This link is for home folders and it works fine. Because it is the only one root from one share with many folders. But when you modify permissions on DFS links you will only receive access denied to that link, it won't be hidden :) You need the enable ABE on virtual folder's shares but I don't know how it would work :]
oBdACommented:
I can open the link just fine from this page; what exactly is the error message?
If you can access Google, search for "907458" and "Access Based Enumeration"; should be the first link showing up.
LeonesITAuthor Commented:
Sorry, I get it. But which CACLs command should be used then for the links?
Krzysztof PytkoSenior Active Directory EngineerCommented:
it looks like it works, but question. Is it worth doing this? A lot of work if something would change in the environment :/

use

cacls <foldername> /t /g:<list of users and their permissions> /c
Krzysztof PytkoSenior Active Directory EngineerCommented:
sorry <foldername> I meant <DFS link name>
oBdACommented:
As described in the article: "For example, make the ACL on the link the same as the ACL on the target of the link. Therefore, if \\dfs-share\users\johndoe links to a target named \\server1\share1\johndoe, make the ACL on \\dfs-share\users\johndoe the same as the ACL on \\server1\share1\johndoe."
Try the following: on the DFS root, disable inheritance, remove all non-administrative groups. Then add the group "Users" back with Read permissions, but in the Advanced permissions, change the scope to "Apply to this folder only". This can still be done in the GUI.
Create the links, wait for replication.
Then on each DFS server, run
cacls.exe "T:\he\physical\path\to\the\DFSRoot\SomeDFSLink" /e /g "SomeDomain\SomeGroupWithAccessToTheDFSLink":R

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LeonesITAuthor Commented:
Thanks
Krzysztof PytkoSenior Active Directory EngineerCommented:
Remember to document this action for future troubleshooting. You won't remember in few months that you did something like that :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.