Discussion:
Problem hiding shares in DFS
(too old to reply)
Raymond Verstegen
2009-04-06 09:35:01 UTC
Permalink
We are using Windows 2003.
Old configuration:
We had a cluster share for example groups$ refering to c:\groups.
Under c:\groups where a lot of subfolders for the different departments.
User only got to see the shares they had access to.

We made shares (in the cluster administrator) for all folders under
c:\groups (groupaccounting$ referring to c:\groups\accounting, groupfinance$
referring to d:\groups\finance) ect ect.
I made in DFS a Groups\Finance and a Groups\Accounting.

Now the accounting group can see the finance group even though they can't
access it.
I turned on Access-based Enumeration for both folders, and created a
Generic application in the Cluster aministrator: "cmd /k abecmd /enable
groupaccounting$"
I did this vor all shares but still everyone can see all shares in the
groups, even the ones they dont have access to.

Any ideas how to hide the shares for people who dont have access to them?
Isaac Oben [MCITP:EA, MCSE]
2009-04-06 10:57:17 UTC
Permalink
Hello Raymond,

Assuming you are using domain based dfs and you have ABE installed and
enabled on the main share, try

CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C (this
will depend on the rights, F= full etc)

Isaac
Post by Raymond Verstegen
We are using Windows 2003.
We had a cluster share for example groups$ refering to c:\groups.
Under c:\groups where a lot of subfolders for the different departments.
User only got to see the shares they had access to.
We made shares (in the cluster administrator) for all folders under
c:\groups (groupaccounting$ referring to c:\groups\accounting,
groupfinance$
referring to d:\groups\finance) ect ect.
I made in DFS a Groups\Finance and a Groups\Accounting.
Now the accounting group can see the finance group even though they can't
access it.
I turned on Access-based Enumeration for both folders, and created a
Generic application in the Cluster aministrator: "cmd /k abecmd /enable
groupaccounting$"
I did this vor all shares but still everyone can see all shares in the
groups, even the ones they dont have access to.
Any ideas how to hide the shares for people who dont have access to them?
Raymond Verstegen
2009-04-06 12:20:08 UTC
Permalink
Hi Isaac,

Thanks for the fast reply.
The accounting department already has access to the accounting share, and
the finance department to their share.
The problem is, is that the accounting deparment sees the finance share, and
the other way around.
Post by Isaac Oben [MCITP:EA, MCSE]
Hello Raymond,
Assuming you are using domain based dfs and you have ABE installed and
enabled on the main share, try
CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C (this
will depend on the rights, F= full etc)
Isaac
Post by Raymond Verstegen
We are using Windows 2003.
We had a cluster share for example groups$ refering to c:\groups.
Under c:\groups where a lot of subfolders for the different departments.
User only got to see the shares they had access to.
We made shares (in the cluster administrator) for all folders under
c:\groups (groupaccounting$ referring to c:\groups\accounting, groupfinance$
referring to d:\groups\finance) ect ect.
I made in DFS a Groups\Finance and a Groups\Accounting.
Now the accounting group can see the finance group even though they can't
access it.
I turned on Access-based Enumeration for both folders, and created a
Generic application in the Cluster aministrator: "cmd /k abecmd /enable
groupaccounting$"
I did this vor all shares but still everyone can see all shares in the
groups, even the ones they dont have access to.
Any ideas how to hide the shares for people who dont have access to them?
DaveMills
2009-04-06 21:57:19 UTC
Permalink
Isaac is referring to the permissions on the DFS link not on the target folder.
For any DFS access there of two NTFS permissions involved, those on the physical
link (reparse point) C:\DFSRoot\Groups\Accounting and those at the target
c:\groups\accounting. ABE in DFS displays the Link because the permission on the
links are "read" even though the permissions on the target are "deny".

Please note also that there were a number of patches regarding ABE on W2003 so
make sure the server is on the latest SP and fully patched. I don't recall the
KB numbers.




On Mon, 6 Apr 2009 05:20:08 -0700, Raymond Verstegen
Post by Raymond Verstegen
Hi Isaac,
Thanks for the fast reply.
The accounting department already has access to the accounting share, and
the finance department to their share.
The problem is, is that the accounting deparment sees the finance share, and
the other way around.
Post by Isaac Oben [MCITP:EA, MCSE]
Hello Raymond,
Assuming you are using domain based dfs and you have ABE installed and
enabled on the main share, try
CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C (this
will depend on the rights, F= full etc)
Isaac
Post by Raymond Verstegen
We are using Windows 2003.
We had a cluster share for example groups$ refering to c:\groups.
Under c:\groups where a lot of subfolders for the different departments.
User only got to see the shares they had access to.
We made shares (in the cluster administrator) for all folders under
c:\groups (groupaccounting$ referring to c:\groups\accounting, groupfinance$
referring to d:\groups\finance) ect ect.
I made in DFS a Groups\Finance and a Groups\Accounting.
Now the accounting group can see the finance group even though they can't
access it.
I turned on Access-based Enumeration for both folders, and created a
Generic application in the Cluster aministrator: "cmd /k abecmd /enable
groupaccounting$"
I did this vor all shares but still everyone can see all shares in the
groups, even the ones they dont have access to.
Any ideas how to hide the shares for people who dont have access to them?
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
Isaac Oben [MCITP:EA, MCSE]
2009-04-07 02:44:35 UTC
Permalink
Hello Raymond,

I might not have been clear with my previous post.

Make sure ABE is installed on all server hosting DFS.
Turn on ABE on "Group"' Share by checking box "enable access-based
enumeration on this shared folder"
Make sure "Accounting and Finance" are properly shared and ntfs permissions
are in place. For the Accounting Share, I will give Full Control to
Accounting Users, System, Administrator, Owner creator, and remove
everytihng else, add Users (Domain.com\Users) and grant following
permissions
List Folder / Read Data
Read Attributes
Read Extended Attributes

Now apply ACL to the Accounting and Financing Folders (Ghost folders)
CACLS C:\Groups\Accounting /E /G DomainName\Accounting:C
and
CACLS C:\Groups\Finance /E /G DomainName\Finance:C

Your ABE for DFS should be good now

Hope this helps

Isaac
Post by Raymond Verstegen
Hi Isaac,
Thanks for the fast reply.
The accounting department already has access to the accounting share, and
the finance department to their share.
The problem is, is that the accounting deparment sees the finance share, and
the other way around.
Post by Isaac Oben [MCITP:EA, MCSE]
Hello Raymond,
Assuming you are using domain based dfs and you have ABE installed and
enabled on the main share, try
CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C (this
will depend on the rights, F= full etc)
Isaac
Post by Raymond Verstegen
We are using Windows 2003.
We had a cluster share for example groups$ refering to c:\groups.
Under c:\groups where a lot of subfolders for the different
departments.
User only got to see the shares they had access to.
We made shares (in the cluster administrator) for all folders under
c:\groups (groupaccounting$ referring to c:\groups\accounting, groupfinance$
referring to d:\groups\finance) ect ect.
I made in DFS a Groups\Finance and a Groups\Accounting.
Now the accounting group can see the finance group even though they can't
access it.
I turned on Access-based Enumeration for both folders, and created a
Generic application in the Cluster aministrator: "cmd /k abecmd /enable
groupaccounting$"
I did this vor all shares but still everyone can see all shares in the
groups, even the ones they dont have access to.
Any ideas how to hide the shares for people who dont have access to them?
Raymond Verstegen
2009-04-07 09:47:01 UTC
Permalink
Im not sharing the group folder, only the folders in the group folder.
In the old situation i shared the group folder, since all subfolders where
there.
There everything worked as inteded.
now im not sharing the group folder anymore, because all subfolders are not
only in the group folder anymore, but devided on different discs/partitions.
So in DFS i created groups/accounting pointing is to c:\groups\accounting.
But if would share the groups (c:\groups) folder the folder
d:\groups\finance wouldn't be vissible
Post by Isaac Oben [MCITP:EA, MCSE]
Hello Raymond,
I might not have been clear with my previous post.
Make sure ABE is installed on all server hosting DFS.
Turn on ABE on "Group"' Share by checking box "enable access-based
enumeration on this shared folder"
Make sure "Accounting and Finance" are properly shared and ntfs permissions
are in place. For the Accounting Share, I will give Full Control to
Accounting Users, System, Administrator, Owner creator, and remove
everytihng else, add Users (Domain.com\Users) and grant following
permissions
List Folder / Read Data
Read Attributes
Read Extended Attributes
Now apply ACL to the Accounting and Financing Folders (Ghost folders)
CACLS C:\Groups\Accounting /E /G DomainName\Accounting:C
and
CACLS C:\Groups\Finance /E /G DomainName\Finance:C
Your ABE for DFS should be good now
Hope this helps
Isaac
Post by Raymond Verstegen
Hi Isaac,
Thanks for the fast reply.
The accounting department already has access to the accounting share, and
the finance department to their share.
The problem is, is that the accounting deparment sees the finance share, and
the other way around.
Post by Isaac Oben [MCITP:EA, MCSE]
Hello Raymond,
Assuming you are using domain based dfs and you have ABE installed and
enabled on the main share, try
CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C (this
will depend on the rights, F= full etc)
Isaac
Post by Raymond Verstegen
We are using Windows 2003.
We had a cluster share for example groups$ refering to c:\groups.
Under c:\groups where a lot of subfolders for the different departments.
User only got to see the shares they had access to.
We made shares (in the cluster administrator) for all folders under
c:\groups (groupaccounting$ referring to c:\groups\accounting, groupfinance$
referring to d:\groups\finance) ect ect.
I made in DFS a Groups\Finance and a Groups\Accounting.
Now the accounting group can see the finance group even though they can't
access it.
I turned on Access-based Enumeration for both folders, and created a
Generic application in the Cluster aministrator: "cmd /k abecmd /enable
groupaccounting$"
I did this vor all shares but still everyone can see all shares in the
groups, even the ones they dont have access to.
Any ideas how to hide the shares for people who dont have access to them?
Isaac Oben [MCITP:EA, MCSE]
2009-04-07 09:59:56 UTC
Permalink
Hello Raymond,
Then turn on ABE on the Accounting and Finance Shared folders

CACLS C:\Accounting /E /G DomainName\Accounting:C
and
CACLS C:\Finance /E /G DomainName\Finance:C

Hope this helps,

Isaac
Post by Raymond Verstegen
Im not sharing the group folder, only the folders in the group folder.
In the old situation i shared the group folder, since all subfolders where
there.
There everything worked as inteded.
now im not sharing the group folder anymore, because all subfolders are not
only in the group folder anymore, but devided on different
discs/partitions.
So in DFS i created groups/accounting pointing is to c:\groups\accounting.
But if would share the groups (c:\groups) folder the folder
d:\groups\finance wouldn't be vissible
Post by Isaac Oben [MCITP:EA, MCSE]
Hello Raymond,
I might not have been clear with my previous post.
Make sure ABE is installed on all server hosting DFS.
Turn on ABE on "Group"' Share by checking box "enable access-based
enumeration on this shared folder"
Make sure "Accounting and Finance" are properly shared and ntfs permissions
are in place. For the Accounting Share, I will give Full Control to
Accounting Users, System, Administrator, Owner creator, and remove
everytihng else, add Users (Domain.com\Users) and grant following
permissions
List Folder / Read Data
Read Attributes
Read Extended Attributes
Now apply ACL to the Accounting and Financing Folders (Ghost folders)
CACLS C:\Groups\Accounting /E /G DomainName\Accounting:C
and
CACLS C:\Groups\Finance /E /G DomainName\Finance:C
Your ABE for DFS should be good now
Hope this helps
Isaac
Post by Raymond Verstegen
Hi Isaac,
Thanks for the fast reply.
The accounting department already has access to the accounting share, and
the finance department to their share.
The problem is, is that the accounting deparment sees the finance
share,
and
the other way around.
Post by Isaac Oben [MCITP:EA, MCSE]
Hello Raymond,
Assuming you are using domain based dfs and you have ABE installed and
enabled on the main share, try
CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C (this
will depend on the rights, F= full etc)
Isaac
in
Post by Raymond Verstegen
We are using Windows 2003.
We had a cluster share for example groups$ refering to c:\groups.
Under c:\groups where a lot of subfolders for the different departments.
User only got to see the shares they had access to.
We made shares (in the cluster administrator) for all folders under
c:\groups (groupaccounting$ referring to c:\groups\accounting, groupfinance$
referring to d:\groups\finance) ect ect.
I made in DFS a Groups\Finance and a Groups\Accounting.
Now the accounting group can see the finance group even though they can't
access it.
I turned on Access-based Enumeration for both folders, and created a
Generic application in the Cluster aministrator: "cmd /k abecmd /enable
groupaccounting$"
I did this vor all shares but still everyone can see all shares in the
groups, even the ones they dont have access to.
Any ideas how to hide the shares for people who dont have access to them?
DaveMills
2009-04-07 18:58:23 UTC
Permalink
On Tue, 7 Apr 2009 02:47:01 -0700, Raymond Verstegen
Post by Raymond Verstegen
Im not sharing the group folder, only the folders in the group folder.
In the old situation i shared the group folder, since all subfolders where
there.
There everything worked as inteded.
now im not sharing the group folder anymore, because all subfolders are not
only in the group folder anymore, but devided on different discs/partitions.
So in DFS i created groups/accounting pointing is to c:\groups\accounting.
But if would share the groups (c:\groups) folder the folder
d:\groups\finance wouldn't be vissible
Try this: Create a new folder in the DFS console called say "test". Do not add
any links. Now look at who can see that folder. I think you will find most can
see the new folder. This is the crux of the problem ABE is reacting to the NTFS
permissions on the folder. This persists even after you add links, even though
the user cannot access the link target.
Post by Raymond Verstegen
Post by Isaac Oben [MCITP:EA, MCSE]
Hello Raymond,
I might not have been clear with my previous post.
Make sure ABE is installed on all server hosting DFS.
Turn on ABE on "Group"' Share by checking box "enable access-based
enumeration on this shared folder"
Make sure "Accounting and Finance" are properly shared and ntfs permissions
are in place. For the Accounting Share, I will give Full Control to
Accounting Users, System, Administrator, Owner creator, and remove
everytihng else, add Users (Domain.com\Users) and grant following
permissions
List Folder / Read Data
Read Attributes
Read Extended Attributes
Now apply ACL to the Accounting and Financing Folders (Ghost folders)
CACLS C:\Groups\Accounting /E /G DomainName\Accounting:C
and
CACLS C:\Groups\Finance /E /G DomainName\Finance:C
Your ABE for DFS should be good now
Hope this helps
Isaac
Post by Raymond Verstegen
Hi Isaac,
Thanks for the fast reply.
The accounting department already has access to the accounting share, and
the finance department to their share.
The problem is, is that the accounting deparment sees the finance share, and
the other way around.
Post by Isaac Oben [MCITP:EA, MCSE]
Hello Raymond,
Assuming you are using domain based dfs and you have ABE installed and
enabled on the main share, try
CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C (this
will depend on the rights, F= full etc)
Isaac
Post by Raymond Verstegen
We are using Windows 2003.
We had a cluster share for example groups$ refering to c:\groups.
Under c:\groups where a lot of subfolders for the different departments.
User only got to see the shares they had access to.
We made shares (in the cluster administrator) for all folders under
c:\groups (groupaccounting$ referring to c:\groups\accounting, groupfinance$
referring to d:\groups\finance) ect ect.
I made in DFS a Groups\Finance and a Groups\Accounting.
Now the accounting group can see the finance group even though they can't
access it.
I turned on Access-based Enumeration for both folders, and created a
Generic application in the Cluster aministrator: "cmd /k abecmd /enable
groupaccounting$"
I did this vor all shares but still everyone can see all shares in the
groups, even the ones they dont have access to.
Any ideas how to hide the shares for people who dont have access to them?
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
Loading...