DFS – Enable Access-Based Enumeration on a Namespace

July 16, 2012 DFS, microsoft No comments

Applies To: Windows Server 2008

Access-based enumeration hides files and folders that users do not have permission to access. By default, this feature is not enabled for DFS namespaces. You can enable access-based enumeration of DFS folders by using the Dfsutil command, enabling you to hide DFS folders from groups or users that you specify. To control access-based enumeration of files and folders in folder targets, you must enable access-based enumeration on each shared folder by using Share and Storage Management.

Caution

Access-based enumeration does not prevent users from getting a referral to a folder target if they already know the DFS path. Only the share permissions or the NTFS file system permissions of the folder target (shared folder) itself can prevent users from accessing a folder target. DFS folder permissions are used only for displaying or hiding DFS folders, not for controlling access, making Read access the only relevant permission at the DFS folder level

In some environments, enabling access-based enumeration can cause high CPU utilization on the server and slow response times for users.

Requirements

To enable access-based enumeration on a namespace, all namespace servers must be running at least Windows Server 2008. Additionally, domain-based namespaces must use the Windows Server 2008 mode

To use access-based enumeration with DFS Namespaces to control which groups or users can view which DFS folders, you must follow these steps:

Enable access-based enumeration on a namespace.
Control which users and groups can view individual DFS folders.

Method

To enable access-based enumeration on a namespace by using Windows Server 2008, you must use the Dfsutil command

Open an elevated command prompt window on a server that has the Distributed File System role service or Distributed File System Tools feature installed.

Type the following command, where <namespace_root> is the root of the namespace

dfsutil property abde enable \\<namespace_root>

For example, to enable access-based enumeration on the domain-based namespace \\contoso.office\public type the following command:

dfsutil property abde enable \\contoso.office\public

Controlling which users and groups can view individual DFS folders

By default, the permissions used for a DFS folder are inherited from the local file system of the namespace server. The permissions are inherited from the root directory of the system drive and grant the DOMAIN\Users group Read permissions. As a result, even after enabling access-based enumeration, all folders in the namespace remain visible to all domain users.

To limit which groups or users can view a DFS folder, you must use the Dfsutil command to set explicit permissions on each DFS folder

dfsutil property acl grant DOMAIN\Account:R (…) Protect Replace

For example, to block inherited permissions (by using the Protect parameter) and replace previously defined ACEs (by using the Replace parameter) with permissions that allow the Domain Admins and CONTOSO\Trainers groups Read (R) access to the \\contoso.office\public\training folder, type the following command:

dfsutil property acl grant \\contoso.office\public\training ”CONTOSO\Domain Admins”:R CONTOSO\Trainers:R Protect Replace

Permission table

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Search for:
Calendar

July 2012

M T W T F S S

1

2 3 4 5 6 7 8

9 10 11 12 13 14 15

16 17 18 19 20 21 22

23 24 25 26 27 28 29

30 31

« Jun Aug »
Social Media and RSS
vExpert
Recent Posts
- Windows Virtualization Based Security June 8, 2024
- SNMP explained January 29, 2023
- Using tcpdump December 14, 2022
- Vdbench August 7, 2022
- What is SSPI – Security Support Provider Interface? February 12, 2022
Archives
- June 2024 (1)
- January 2023 (1)
- December 2022 (1)
- August 2022 (1)
- February 2022 (2)
- October 2021 (1)
- July 2021 (1)
- May 2021 (1)
- March 2021 (1)
- February 2021 (1)
- January 2021 (1)
- December 2020 (1)
- November 2020 (2)
- October 2020 (1)
- August 2020 (1)
- July 2020 (2)
- June 2020 (2)
- April 2020 (1)
- March 2020 (2)
- December 2019 (1)
- November 2019 (2)
- August 2019 (1)
- July 2019 (1)
- May 2019 (1)
- April 2019 (1)
- February 2019 (1)
- January 2019 (2)
- December 2018 (1)
- November 2018 (1)
- October 2018 (1)
- August 2018 (1)
- June 2018 (1)
- April 2018 (1)
- March 2018 (1)
- January 2018 (1)
- November 2017 (1)
- October 2017 (1)
- September 2017 (1)
- August 2017 (1)
- June 2017 (1)
- May 2017 (1)
- April 2017 (2)
- March 2017 (1)
- February 2017 (1)
- January 2017 (1)
- December 2016 (1)
- November 2016 (2)
- September 2016 (1)
- August 2016 (2)
- July 2016 (2)
- May 2016 (2)
- February 2016 (3)
- January 2016 (3)
- December 2015 (3)
- November 2015 (1)
- October 2015 (2)
- September 2015 (2)
- August 2015 (2)
- July 2015 (2)
- June 2015 (3)
- May 2015 (2)
- April 2015 (1)
- March 2015 (2)
- February 2015 (2)
- January 2015 (2)
- December 2014 (3)
- November 2014 (2)
- October 2014 (1)
- September 2014 (2)
- August 2014 (2)
- July 2014 (2)
- June 2014 (3)
- May 2014 (1)
- April 2014 (1)
- March 2014 (6)
- February 2014 (2)
- January 2014 (2)
- December 2013 (1)
- November 2013 (3)
- October 2013 (5)
- September 2013 (1)
- August 2013 (2)
- July 2013 (6)
- June 2013 (4)
- May 2013 (5)
- April 2013 (4)
- March 2013 (28)
- February 2013 (53)
- January 2013 (63)
- December 2012 (13)
- November 2012 (11)
- October 2012 (13)
- September 2012 (6)
- August 2012 (16)
- July 2012 (22)
- June 2012 (16)
- May 2012 (19)
- April 2012 (10)
- March 2012 (13)
- February 2012 (32)
- January 2012 (25)
Categories
- Benchmarking (3)
- Certification (164)
  - Microsoft (1)
  - VCAP5 DCA (155)
    - Objective 1 Storage (33)
    - Objective 2 Networking (21)
    - Objective 3 Tuning and Optimisation (26)
    - Objective 4 Business Continuity (11)
    - Objective 5 Operational Maintenance (15)
    - Objective 6 Advanced Troubleshooting (28)
    - Objective 7 Secure a vSphere environment (15)
    - Objective 8 Perform Scripting and Automation (8)
    - Objective 9 Advanced vSphere Installation (8)
  - VCP5-DCV (1)
- Cisco (1)
- Command Line (8)
  - PowerCLI (3)
  - Robocopy (1)
  - vCLI (1)
- Flex 10 (1)
- FreeNas (2)
- IMM/RSA (1)
- IPv6 (2)
- IT (38)
- Kubernetes (1)
- McAfee Products (1)
- microsoft (89)
  - Active Directory (7)
  - ActiveSync (1)
  - App-V (2)
  - Auditing (1)
  - BgInfo (1)
  - CA (1)
  - Clustering (6)
    - Microsoft Failover Clustering (2)
    - SQL Failover Clustering (1)
  - DFS (5)
  - DHCP (1)
  - Disk Quotas (1)
  - DNS (1)
  - Excel (1)
  - Forest Trusts (1)
  - Group Policy (3)
  - Hyper V (1)
  - Kerberos (1)
  - NAP (1)
  - Networking (2)
  - NLB (2)
  - NTFS (1)
  - Performance (3)
  - PowerShell (5)
  - Process Explorer (1)
  - Registry Mods (1)
  - RemoteApp (1)
  - Roaming Profiles (3)
  - ROUTE Command (1)
  - Shrinking Drives (1)
  - SQL Server (6)
  - System Volume Information (1)
  - Technet Labs (1)
  - Terminal Services (7)
  - Time Synchronisation (1)
  - UAC (1)
  - Upgrading Windows Editions (1)
  - WFAS (1)
  - Windows Firewall (1)
  - Windows Server 2012 (9)
  - XP Mode (1)
- Mobile Telephony (1)
- Networking (3)
- Oracle RAC (1)
- Personal (8)
- Security (1)
- SNMP (1)
- SRM (1)
- Storage (6)
- Technology (2)
- VdBench (1)
- Viso (1)
- VMware (206)
  - Active Directory Integration (1)
  - AD LDS (1)
  - Antivirus (1)
  - AutoDeploy (4)
  - Autolab (1)
  - Blogs (1)
  - Certificates (1)
  - Cloning (2)
  - Cluster Admission Control (1)
  - Clustering (3)
  - Compatibility Guide (1)
  - Database (6)
  - Documentation Center (4)
  - DRS (1)
  - ESXTOP + RESXTOP (4)
  - EVC (1)
  - F5 Load Balancer (1)
  - Guest O/S Customization (1)
  - HA (7)
  - Host profiles 6.5 (2)
  - iPad Knowledge App (1)
  - Labs (1)
  - Licensing (2)
  - Logs (3)
  - Monitoring (15)
  - NetFlow (1)
  - Networking (10)
  - NLB (1)
  - PowerCLI (4)
  - PSA and NMP (1)
  - RDM (1)
  - Resource Pools (1)
  - SMP (2)
  - Snapshots (1)
  - SSO (2)
  - Storage (32)
  - Time Syncing (1)
  - TPS (1)
  - UMDS (2)
  - Upgrading (3)
  - USB Devices (1)
  - VAAI (1)
  - vApps (1)
  - VASA (1)
  - vCenter (7)
  - vCheck (1)
  - vCLI (1)
  - VCSA 6.5 (2)
  - vMA (1)
  - vMotion (2)
  - VMware Labs (1)
  - VMware Tools (1)
  - VMware View (1)
  - vRA (13)
    - F5 Load Balancer with vRA (1)
    - vRA Certificates (1)
    - vRA Distributed Deployment v6.2.3 (3)
      - Part 1 (1)
      - Part 2 (1)
      - Part 3 (1)
    - vRA Small Deployment v6.2.3 (7)
      - Part 1 (1)
      - Part 2 (1)
      - Part 3 (1)
      - Part 4 (1)
      - Part 5 (1)
      - Part 6 (1)
      - Part 7 (1)
    - vRA7 (1)
      - vRA7 Minimal Deployment (1)
  - vRealize Log Insight (3)
    - Management Packs (1)
    - vCO Monitoring (1)
  - vROps (1)
    - Replacing Certificates (1)
  - VSA (1)
  - vSAN (8)
    - HCIBench (3)
    - vSAN Stretched Cluster (1)
  - vSphere 6 (10)
    - Decommissioning vCenter and PSC (1)
    - HTML5 Web Client (1)
    - JXplorer (1)
    - Platform Services Controller (5)
      - Enhanced Linked Mode (1)
      - High Availability (1)
      - Multisite (3)
    - PSC Replication (1)
    - Registering Orchestrator in vSphere (1)
  - vSphere Web Client (1)
- Web (1)
Tags

2012 ad AutoDeploy Certificate certification cluster Clustering DB DFS DRS esxi firewall gpo HA I/O iSCSI Labs logs LUN memory Microsoft NIC Performance powercli powershell PSA PSC RDM RDS sql storage Storage vMotion troubleshooting tuning upgrade vCenter vDS vm VMDK VMware vRA vro VSAN vsphere6 vSS
Fatcow Webhosting