Solved

Allow users to browse the DFS root

Posted on 2011-09-22
8
612 Views
Last Modified: 2012-05-12
We have an existing DFS infrastructure in house.

It is formatted as follows:

\\domain.local\fileshares\accounting
\\domain.local\fileshares\payroll
etc

We would like to create a drive mapping to the DFS root \\domain.local\fileshares for all users.
That way they can open the root and see all the listed fileshares.
Then using access-based enumeration we can hide the folders they don't have rights too.

The login script is as follows:

net use z: \\domain.local\fileshares

The script runs and the drive is created, however only domain admins can open it...

How can we setup the DFS root so that all users can see the listed of folders?
0
Comment
Question by:PerimeterIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36587615
It sounds like just a permissions issue either on the share permissions or ntfs permission on the dirctory pointed to by the dfs root / namespace as it should work as you suggest.

\\domain.local\fileshares will be the root share and presumably that is pointing to, say, d:\fileshares
Please go into the dfs management, check the share permissions against the root, and the NTFS permissions on th path it points to.

I haven't got a 2003 system to hand at the mo. running DFS (only 2000 and 2008) so can't adise the specific path the look at sorry.
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 36599919
it's on 2003

Our root folder doesn't point to specific folder
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36720345
Sorry missed your comments at the time.  So to clarify:

If your users have a drive mapped to \\domain.local\fileshares it maps OK (which infers the share permissions are OK).
If they go to start | run and do \\domain.local\fileshares presumably it does the same.

So where does the namespace point to (
e.g. namespace = d:\fileshares on server X and server Y ?
under that you then have your links to other shares.  Thee should NOT be under the same directory that the root points to.

Also what do you mean by "however only domain admins can open it..." - do users get "access denied" or what?  And at what stage of the process, as soon as they click on the drive letter?
0
Office 365 Training for IT Pros

Learn how to provision Office 365 tenants, synchronize your on-premise Active Directory, and implement Single Sign-On.

 
LVL 1

Author Comment

by:PerimeterIT
ID: 36818352
Mapping to \\domain.local\fileshares works fine

But when a user gos to open the drive they get "access denied" and can't see any of the contents. Only a domain admin can open the root share and see the contents.

The root share isn't pointing to a specific folder on a server.

Its sub folders point to different shares
so as examples

\\domain.local\fileshares\ > nothing just displays folder contents.
\\domain.local\fileshares\accounting > e:\accounting
\\domain.local\fileshares\general > e:\general
\\domain.local\fileshares\IT > g:\IT
0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 500 total points
ID: 36818724
OK, it sounds like the link diectories in the area the dfs root points to don't have correct permissions then.

The dfs root will be pointing to it's own share, without any data in (hopefully), just folders for each link under it.
So:

DFS root "fileshares"--> \\server\dfsroot (which is d:\dfsroot)
dfs target/link "accounting" --> \\server\accounting (which is e:\accounting)

Now here it is the permissions for users to d:\dfsroot\accounting that says whether they can access it (or see it with ABE) or not.  I would suggest setting user NTFS permissions to Read at the root "for this folder only" and then setting the relevant groups etc. in the other directories to allow users into their folders.

Steve
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36818757
Had a look around and found this document which kinda follows the same pattern once ABE is put on:

http://blogs.technet.com/b/canitpro/archive/2006/10/06/dfs-and-access-based-enumeration-_2800_how-to-hide-folders-from-prying-eyes_2900_.aspx

We scripted permissions using CACLS anyway when last creating one to use ABE so hadn't noticed that there isn't a security tab for the dfs link directories - the link above explains more.
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 36949898
There fixed it.

I have to select the DFS root folder in DFS management. On the 'Namespace Servers' tab I was able to modify the permissions of the root share to allow 'authenticated users' to see it.

Thanks for the help!
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36950117
No problem!
Steve
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question