Solved

Allow users to browse the DFS root

Posted on 2011-09-22
8
600 Views
Last Modified: 2012-05-12
We have an existing DFS infrastructure in house.

It is formatted as follows:

\\domain.local\fileshares\accounting
\\domain.local\fileshares\payroll
etc

We would like to create a drive mapping to the DFS root \\domain.local\fileshares for all users.
That way they can open the root and see all the listed fileshares.
Then using access-based enumeration we can hide the folders they don't have rights too.

The login script is as follows:

net use z: \\domain.local\fileshares

The script runs and the drive is created, however only domain admins can open it...

How can we setup the DFS root so that all users can see the listed of folders?
0
Comment
Question by:PerimeterIT
  • 5
  • 3
8 Comments
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36587615
It sounds like just a permissions issue either on the share permissions or ntfs permission on the dirctory pointed to by the dfs root / namespace as it should work as you suggest.

\\domain.local\fileshares will be the root share and presumably that is pointing to, say, d:\fileshares
Please go into the dfs management, check the share permissions against the root, and the NTFS permissions on th path it points to.

I haven't got a 2003 system to hand at the mo. running DFS (only 2000 and 2008) so can't adise the specific path the look at sorry.
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 36599919
it's on 2003

Our root folder doesn't point to specific folder
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36720345
Sorry missed your comments at the time.  So to clarify:

If your users have a drive mapped to \\domain.local\fileshares it maps OK (which infers the share permissions are OK).
If they go to start | run and do \\domain.local\fileshares presumably it does the same.

So where does the namespace point to (
e.g. namespace = d:\fileshares on server X and server Y ?
under that you then have your links to other shares.  Thee should NOT be under the same directory that the root points to.

Also what do you mean by "however only domain admins can open it..." - do users get "access denied" or what?  And at what stage of the process, as soon as they click on the drive letter?
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 36818352
Mapping to \\domain.local\fileshares works fine

But when a user gos to open the drive they get "access denied" and can't see any of the contents. Only a domain admin can open the root share and see the contents.

The root share isn't pointing to a specific folder on a server.

Its sub folders point to different shares
so as examples

\\domain.local\fileshares\ > nothing just displays folder contents.
\\domain.local\fileshares\accounting > e:\accounting
\\domain.local\fileshares\general > e:\general
\\domain.local\fileshares\IT > g:\IT
0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 500 total points
ID: 36818724
OK, it sounds like the link diectories in the area the dfs root points to don't have correct permissions then.

The dfs root will be pointing to it's own share, without any data in (hopefully), just folders for each link under it.
So:

DFS root "fileshares"--> \\server\dfsroot (which is d:\dfsroot)
dfs target/link "accounting" --> \\server\accounting (which is e:\accounting)

Now here it is the permissions for users to d:\dfsroot\accounting that says whether they can access it (or see it with ABE) or not.  I would suggest setting user NTFS permissions to Read at the root "for this folder only" and then setting the relevant groups etc. in the other directories to allow users into their folders.

Steve
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36818757
Had a look around and found this document which kinda follows the same pattern once ABE is put on:

http://blogs.technet.com/b/canitpro/archive/2006/10/06/dfs-and-access-based-enumeration-_2800_how-to-hide-folders-from-prying-eyes_2900_.aspx

We scripted permissions using CACLS anyway when last creating one to use ABE so hadn't noticed that there isn't a security tab for the dfs link directories - the link above explains more.
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 36949898
There fixed it.

I have to select the DFS root folder in DFS management. On the 'Namespace Servers' tab I was able to modify the permissions of the root share to allow 'authenticated users' to see it.

Thanks for the help!
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36950117
No problem!
Steve
0

Join & Write a Comment

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now