Solved

Allow users to browse the DFS root

Posted on 2011-09-22
8
610 Views
Last Modified: 2012-05-12
We have an existing DFS infrastructure in house.

It is formatted as follows:

\\domain.local\fileshares\accounting
\\domain.local\fileshares\payroll
etc

We would like to create a drive mapping to the DFS root \\domain.local\fileshares for all users.
That way they can open the root and see all the listed fileshares.
Then using access-based enumeration we can hide the folders they don't have rights too.

The login script is as follows:

net use z: \\domain.local\fileshares

The script runs and the drive is created, however only domain admins can open it...

How can we setup the DFS root so that all users can see the listed of folders?
0
Comment
Question by:PerimeterIT
  • 5
  • 3
8 Comments
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36587615
It sounds like just a permissions issue either on the share permissions or ntfs permission on the dirctory pointed to by the dfs root / namespace as it should work as you suggest.

\\domain.local\fileshares will be the root share and presumably that is pointing to, say, d:\fileshares
Please go into the dfs management, check the share permissions against the root, and the NTFS permissions on th path it points to.

I haven't got a 2003 system to hand at the mo. running DFS (only 2000 and 2008) so can't adise the specific path the look at sorry.
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 36599919
it's on 2003

Our root folder doesn't point to specific folder
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36720345
Sorry missed your comments at the time.  So to clarify:

If your users have a drive mapped to \\domain.local\fileshares it maps OK (which infers the share permissions are OK).
If they go to start | run and do \\domain.local\fileshares presumably it does the same.

So where does the namespace point to (
e.g. namespace = d:\fileshares on server X and server Y ?
under that you then have your links to other shares.  Thee should NOT be under the same directory that the root points to.

Also what do you mean by "however only domain admins can open it..." - do users get "access denied" or what?  And at what stage of the process, as soon as they click on the drive letter?
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 1

Author Comment

by:PerimeterIT
ID: 36818352
Mapping to \\domain.local\fileshares works fine

But when a user gos to open the drive they get "access denied" and can't see any of the contents. Only a domain admin can open the root share and see the contents.

The root share isn't pointing to a specific folder on a server.

Its sub folders point to different shares
so as examples

\\domain.local\fileshares\ > nothing just displays folder contents.
\\domain.local\fileshares\accounting > e:\accounting
\\domain.local\fileshares\general > e:\general
\\domain.local\fileshares\IT > g:\IT
0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 500 total points
ID: 36818724
OK, it sounds like the link diectories in the area the dfs root points to don't have correct permissions then.

The dfs root will be pointing to it's own share, without any data in (hopefully), just folders for each link under it.
So:

DFS root "fileshares"--> \\server\dfsroot (which is d:\dfsroot)
dfs target/link "accounting" --> \\server\accounting (which is e:\accounting)

Now here it is the permissions for users to d:\dfsroot\accounting that says whether they can access it (or see it with ABE) or not.  I would suggest setting user NTFS permissions to Read at the root "for this folder only" and then setting the relevant groups etc. in the other directories to allow users into their folders.

Steve
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36818757
Had a look around and found this document which kinda follows the same pattern once ABE is put on:

http://blogs.technet.com/b/canitpro/archive/2006/10/06/dfs-and-access-based-enumeration-_2800_how-to-hide-folders-from-prying-eyes_2900_.aspx

We scripted permissions using CACLS anyway when last creating one to use ABE so hadn't noticed that there isn't a security tab for the dfs link directories - the link above explains more.
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 36949898
There fixed it.

I have to select the DFS root folder in DFS management. On the 'Namespace Servers' tab I was able to modify the permissions of the root share to allow 'authenticated users' to see it.

Thanks for the help!
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36950117
No problem!
Steve
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question