?
Solved

Allow users to browse the DFS root

Posted on 2011-09-22
8
Medium Priority
?
618 Views
Last Modified: 2012-05-12
We have an existing DFS infrastructure in house.

It is formatted as follows:

\\domain.local\fileshares\accounting
\\domain.local\fileshares\payroll
etc

We would like to create a drive mapping to the DFS root \\domain.local\fileshares for all users.
That way they can open the root and see all the listed fileshares.
Then using access-based enumeration we can hide the folders they don't have rights too.

The login script is as follows:

net use z: \\domain.local\fileshares

The script runs and the drive is created, however only domain admins can open it...

How can we setup the DFS root so that all users can see the listed of folders?
0
Comment
Question by:PerimeterIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36587615
It sounds like just a permissions issue either on the share permissions or ntfs permission on the dirctory pointed to by the dfs root / namespace as it should work as you suggest.

\\domain.local\fileshares will be the root share and presumably that is pointing to, say, d:\fileshares
Please go into the dfs management, check the share permissions against the root, and the NTFS permissions on th path it points to.

I haven't got a 2003 system to hand at the mo. running DFS (only 2000 and 2008) so can't adise the specific path the look at sorry.
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 36599919
it's on 2003

Our root folder doesn't point to specific folder
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36720345
Sorry missed your comments at the time.  So to clarify:

If your users have a drive mapped to \\domain.local\fileshares it maps OK (which infers the share permissions are OK).
If they go to start | run and do \\domain.local\fileshares presumably it does the same.

So where does the namespace point to (
e.g. namespace = d:\fileshares on server X and server Y ?
under that you then have your links to other shares.  Thee should NOT be under the same directory that the root points to.

Also what do you mean by "however only domain admins can open it..." - do users get "access denied" or what?  And at what stage of the process, as soon as they click on the drive letter?
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 1

Author Comment

by:PerimeterIT
ID: 36818352
Mapping to \\domain.local\fileshares works fine

But when a user gos to open the drive they get "access denied" and can't see any of the contents. Only a domain admin can open the root share and see the contents.

The root share isn't pointing to a specific folder on a server.

Its sub folders point to different shares
so as examples

\\domain.local\fileshares\ > nothing just displays folder contents.
\\domain.local\fileshares\accounting > e:\accounting
\\domain.local\fileshares\general > e:\general
\\domain.local\fileshares\IT > g:\IT
0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 2000 total points
ID: 36818724
OK, it sounds like the link diectories in the area the dfs root points to don't have correct permissions then.

The dfs root will be pointing to it's own share, without any data in (hopefully), just folders for each link under it.
So:

DFS root "fileshares"--> \\server\dfsroot (which is d:\dfsroot)
dfs target/link "accounting" --> \\server\accounting (which is e:\accounting)

Now here it is the permissions for users to d:\dfsroot\accounting that says whether they can access it (or see it with ABE) or not.  I would suggest setting user NTFS permissions to Read at the root "for this folder only" and then setting the relevant groups etc. in the other directories to allow users into their folders.

Steve
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36818757
Had a look around and found this document which kinda follows the same pattern once ABE is put on:

http://blogs.technet.com/b/canitpro/archive/2006/10/06/dfs-and-access-based-enumeration-_2800_how-to-hide-folders-from-prying-eyes_2900_.aspx

We scripted permissions using CACLS anyway when last creating one to use ABE so hadn't noticed that there isn't a security tab for the dfs link directories - the link above explains more.
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 36949898
There fixed it.

I have to select the DFS root folder in DFS management. On the 'Namespace Servers' tab I was able to modify the permissions of the root share to allow 'authenticated users' to see it.

Thanks for the help!
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36950117
No problem!
Steve
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question