[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Allow users to browse the DFS root

Posted on 2011-09-22
8
Medium Priority
?
620 Views
Last Modified: 2012-05-12
We have an existing DFS infrastructure in house.

It is formatted as follows:

\\domain.local\fileshares\accounting
\\domain.local\fileshares\payroll
etc

We would like to create a drive mapping to the DFS root \\domain.local\fileshares for all users.
That way they can open the root and see all the listed fileshares.
Then using access-based enumeration we can hide the folders they don't have rights too.

The login script is as follows:

net use z: \\domain.local\fileshares

The script runs and the drive is created, however only domain admins can open it...

How can we setup the DFS root so that all users can see the listed of folders?
0
Comment
Question by:PerimeterIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36587615
It sounds like just a permissions issue either on the share permissions or ntfs permission on the dirctory pointed to by the dfs root / namespace as it should work as you suggest.

\\domain.local\fileshares will be the root share and presumably that is pointing to, say, d:\fileshares
Please go into the dfs management, check the share permissions against the root, and the NTFS permissions on th path it points to.

I haven't got a 2003 system to hand at the mo. running DFS (only 2000 and 2008) so can't adise the specific path the look at sorry.
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 36599919
it's on 2003

Our root folder doesn't point to specific folder
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36720345
Sorry missed your comments at the time.  So to clarify:

If your users have a drive mapped to \\domain.local\fileshares it maps OK (which infers the share permissions are OK).
If they go to start | run and do \\domain.local\fileshares presumably it does the same.

So where does the namespace point to (
e.g. namespace = d:\fileshares on server X and server Y ?
under that you then have your links to other shares.  Thee should NOT be under the same directory that the root points to.

Also what do you mean by "however only domain admins can open it..." - do users get "access denied" or what?  And at what stage of the process, as soon as they click on the drive letter?
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 1

Author Comment

by:PerimeterIT
ID: 36818352
Mapping to \\domain.local\fileshares works fine

But when a user gos to open the drive they get "access denied" and can't see any of the contents. Only a domain admin can open the root share and see the contents.

The root share isn't pointing to a specific folder on a server.

Its sub folders point to different shares
so as examples

\\domain.local\fileshares\ > nothing just displays folder contents.
\\domain.local\fileshares\accounting > e:\accounting
\\domain.local\fileshares\general > e:\general
\\domain.local\fileshares\IT > g:\IT
0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 2000 total points
ID: 36818724
OK, it sounds like the link diectories in the area the dfs root points to don't have correct permissions then.

The dfs root will be pointing to it's own share, without any data in (hopefully), just folders for each link under it.
So:

DFS root "fileshares"--> \\server\dfsroot (which is d:\dfsroot)
dfs target/link "accounting" --> \\server\accounting (which is e:\accounting)

Now here it is the permissions for users to d:\dfsroot\accounting that says whether they can access it (or see it with ABE) or not.  I would suggest setting user NTFS permissions to Read at the root "for this folder only" and then setting the relevant groups etc. in the other directories to allow users into their folders.

Steve
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36818757
Had a look around and found this document which kinda follows the same pattern once ABE is put on:

http://blogs.technet.com/b/canitpro/archive/2006/10/06/dfs-and-access-based-enumeration-_2800_how-to-hide-folders-from-prying-eyes_2900_.aspx

We scripted permissions using CACLS anyway when last creating one to use ABE so hadn't noticed that there isn't a security tab for the dfs link directories - the link above explains more.
0
 
LVL 1

Author Comment

by:PerimeterIT
ID: 36949898
There fixed it.

I have to select the DFS root folder in DFS management. On the 'Namespace Servers' tab I was able to modify the permissions of the root share to allow 'authenticated users' to see it.

Thanks for the help!
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 36950117
No problem!
Steve
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
A hard and fast method for reducing Active Directory Administrators members.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question