DFS: Users accessing multiple shares

[lanceja]

Just to let everyone know I am not DFS literate. The guy who setup our DFS has left the company and I did not get much training.

Currently we are running DFS and I have figured out how to setup roots and links with no problem.

At the same time we are running a VBScript that does our login. The script maps the R: drive depending on the group that was setup in DFS. IE: If they are a member of Corp their R: drive shows a Common folder (everyone has access) and Share_Corp folder (only members of group are allowed).

As long as a user is a member of one group then everything works great. The problem is that I have a couple of users who are actually members of two - three groups plus managers of two - three groups.

Does anyone have an idea how I can setup these users so their R: drive shows the Common folder and all the group folders they need access?

Thanks for any and all help.

 

[58sniper]

Use different drive letters, or a path that includes everything. For example, you might have r:\ and in there, you could have
r:\public
r:\corp

r: would map to the same DFS root, but NTFS permissions could be used for the subfolders.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[lanceja]

Thanks for the info but am not sure if I understand or I put the question wrong. Here is the scenario:

R: drive shows different folders depending on group person belongs to: ex: One person belongs to Tech group would see: Common and Share Tech. Note: Everyone will see the Common drive. Another person belongs to Real Estate group would see: Common and Share_RealEstate.

Both of the above work for a manager who needs to see what they see. IE: Common, Share Tech and Share_Realestate. If I go into DFS and setup a link under Tech group for the Realestate folder then all in Tech will see folder. The R: drive maps to the person's group folder. IE: If person is part of Tech group they will see Share Tech.

My question is if I make a person a member of two groups how can that person see all the groups without members of the groups see other folders they do not have access to?

 

[crackbabie]

Windows Server 2003 Access-based Enumeration

http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx

This is what you want to implement on all servers running DFS-N

This is something which may help you when implementing ABE with DFS
see link:

http://blogs.technet.com/canitpro/a...w-to-hide-folders-from-prying-eyes_2900_.aspx

I hope this helps you ... similar to something I have just finished deploying.

########### EXAMPLE SETUP ###########
Download and install the Windows Server 2003 Access-based Enumeration

http://www.microsoft.com/downloads/...D9-78D9-4342-A485-B030AC442084&displaylang=en

DFS-SERVER-NAME for example = DFS-SERVER-1

you have a shared root folder D:\DFS-DEPT-SHARE\
which translates to \\DOMAIN.LOCAL\DEPT

D:\DFS-DEPT-SHARE\TECH
\\DOMAIN.LOCAL\DEPT\TECH

D:\DFS-DEPT-SHARE\REALESTATE
\\DOMAIN.LOCAL\DEPT\REALESTATE

###########

In AD create 3 groups called:
DEPT-TECH
DEPT-REALESTATE
and
DEPT-SHARE-ACCESS

make DEPT-TECH a member of DEPT-SHARE-ACCESS
make DEPT-REALESTATE a member of DEPT-SHARE-ACCESS

###########

add userA into DEPT-TECH group
add userB into DEPT-REALESTATE group
add userC into both groups

########### Sharing & Security on actual folders ###########

Remove the inheritable permissions on each folder ... set them all independently.

D:\DFS-DEPT-SHARE (add DEPT-SHARE-ACCESS group on this folder only - NOT sub folders and files)

set Allow on 5 items:
Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Read permissions

D:\DFS-DEPT-SHARE\TECH (DEPT-TECH group added)
remove inheritable and select copy, remove DEPT-SHARE-ACCESS
give the level of access you want to the DEPT-TECH group

D:\DFS-DEPT-SHARE\REALESTATE (DEPT-REALESTATE group added)
rinse and repeat

here is where it gets interesting ... test from a workstation

UserA should be able to see
\\DFS-SERVER-1\D$\DFS-DEPT-SHARE\
\\DFS-SERVER-1\D$\DFS-DEPT-SHARE\TECH


UserB should be able to see
\\DFS-SERVER-1\D$\DFS-DEPT-SHARE\
\\DFS-SERVER-1\D$\DFS-DEPT-SHARE\REALESTATE

UserC should be able to see
\\DFS-SERVER-1\D$\DFS-DEPT-SHARE\
\\DFS-SERVER-1\D$\DFS-DEPT-SHARE\TECH
\\DFS-SERVER-1\D$\DFS-DEPT-SHARE\REALESTATE

If that is all working you can now move onto making sure that ABE (Access Based Enumeration) is working via DFS

Most likely UserA will be able to see
\\DOMAIN.LOCAL\DEPT
\\DOMAIN.LOCAL\DEPT\TECH
and --> \\DOMAIN.LOCAL\DEPT\REALESTATE

This is where the trick comes in ... you need to copy the ACL (Access Control List) from the Shared folder

now because the UserA is a member of DEPT-TECH they will also inherit the DFS-SHARE-ACCESS group as its a member.

that way generally speaking a user is only a member of one group and you use the inheritance of member groups to manage the tree

D:\DFS-DEPT-SHARE\
and copy them onto
C:\DFSRoots\DEPT

Do the same for both
D:\DFS-DEPT-SHARE\TECH
-> C:\DFSRoots\DEPT\TECH

D:\DFS-DEPT-SHARE\REALESTATE
-> C:\DFSRoots\DEPT\REALESTATE


now when you test it should only show:
UserA
\\DOMAIN.LOCAL\DEPT
\\DOMAIN.LOCAL\DEPT\TECH


NOTE: If you have multiple DFS SERVERS you need to apply the permissions onto every folder the same

DFS-SERVER-1
DFS-SERVER-2
DFS-SERVER-3

The DFSRoots is for each server which is a NAMESPACE Server for the DFSRoot

You need to make sure the SHARED D:\ Folders and the C:\DFSRoots folders are all applied to each, this caught me out as I was expecting to resolve to DFS-SERVER-1 except I was picking up DFS-SERVER-2 and I hadnt applied the permissions onto that server


The easiest way to get and set folder permissions is to use Microsoft POWERSHELL.
GET-ACL and SET-ACL, there is a ps1 script on internet to get and set folder permissions, you want the one which removes and folder permissions and then sets with a clean set.


I hope this helps you out

Cheers,
C