Solved

DFS Permissions

Posted on 2011-03-21
6
1,373 Views
Last Modified: 2012-08-20
Using 2008 R2 server.  I had this working on 2003 server, but can't seem to be able to do it here. I have a DFS Root, with many links to shared folders.  The DFS names space is then used to map users to a shared drive using GPO and netuse.  My issue is I can't seem to prevent users from saving to the root folders, which are by department.  I only want them to be able to save in the sub-folders.  They should be able to create any folders they wish within the sub folders and inside the parent folder.  I've tried changing the parent folder permissions and inheriting down, but that locked them out of everything.  Not sure what I can't remember.
0
Comment
Question by:dabneym
  • 3
  • 3
6 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 250 total points
ID: 35209178
The Root needs to be the beginning of the Permissions (meaning no inheriting).

1. First Add the User's group in the normal way in the Dialog

2. Then go into the Advanced section and remove the item Create Files / Write Data.

3. Click OK on everything and go completely out of all Dialog boxes.

4. Go back into the Properties of the Folder and select Permissions again

5. Go straight to the Advanced Section this time.

6. Add the same User's group again a second time,...this time all the permissions will be unchecked by default.  

7.  In the Applies To drop-down choose Subfolders Only and then check the Allow box for Create Files and Write Data.

Now when you get back to the first Advanced dialog box, the User's Group will be listed twice:
  a.  Permissions=Special  Applies to = This Folder, Subfolders and Files
   b. Permissions= Create Files / Write Data   Applies to = Subfolders Only
0
 

Author Comment

by:dabneym
ID: 35211023
Just for clarification, you're using Root for the file share, not the DFS root, correct?  I know that previously I hid the shares from the users, they could only see the DFS folder.  For some reason, wih 2008 R2, the DFS wouldn't link.  I had, at first,  thought that was my issue.  I will attempt on one folder and let you know if this is the solution.  Thank you.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35211362
Root meaning the "top of the folder tree"  in the file system within the context of the discussion.
Since the DFS Root has to point to something,...it is probably one and the same,...but maybe not.

I'm talking about the Folder right above the User's individual folders.

Some Folder|              <------------you point the DFS Root here??  Don't know.
                    |--Userfolder1
                    |--Userfolder2
                    |--UserSally
                    |--UserJohn

Here is an article that gives the same theory I based what I said on,...but mine is more simpler.

How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000 and in Windows Server 2003
http://support.microsoft.com/kb/274443

Do not confuse these:
1. Folder Redirection
2. Roaming Profiles
3. Offline Files
4. DFS

They are all four entirely different and independent things.  They can all be done totally by themselves or in various combinations togther (if you can keep them all straight).    But if you cannot keep it straight in your head where one ends and another begins you are in for a world of hurt.   DFS simply repicates copys of the specified file structure to two or more places and provides a unified UNC Path to get there,...that is all it does,...don't confuse what it is doing with what any of the other 3 things do.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:dabneym
ID: 35231675
Almost exactly what we need.  Tweaking on our side needed.
0
 

Author Closing Comment

by:dabneym
ID: 35231686
The partiality would be our need to change the way the folders are now set up.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 35232628
The article I gave the link for is more accuarte than what I gave off the top of my head.  I trhink I forgot a couple parts in mine.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now