No announcement yet.

DFS Permissions Child Folders

  • Filter
  • Time
  • Show
Clear All
new posts

  • DFS Permissions Child Folders

    DFS has been configured on 3 of our 2008 servers. All of them are 64 Bit but two are STD SP2 and one is R2. I never used DFS before so all this is new. From what I can tell the replication and namespace are working. I have a very simple test structure with just a few folders. The issue Iím having is that no matter what permissions I set on the child folders of the root, users (other than admins) are all read & execute. I shared the subfolders directly and added the users to the share access but it didnít work (still read). I also had the userís navigate to the folder directly without going through the namespace and they were denied write access. I turned off inheritance on the child folders and added the users there directly but it had no effect. What confused me is when I tested this on several occasions (Iím pretty sure) it was working. If I recreate the folder permissions outside of the root DFS share they users can access and write to it.

  • #2
    Re: DFS Permissions Child Folders

    I'm not entirely sure how you are creating the shares.

    When I do this I create the shares, then set the share and security permisions. Next, I fire up DFS, add the folders to the namespace then specify the path to the share for each folder.
    A recent poll suggests that 6 out of 7 dwarfs are not happy


    • #3
      Re: DFS Permissions Child Folders

      As pointed out, you have probably left the share as read only for everyone.


      • #4
        Re: DFS Permissions Child Folders

        I'll explain a little more as it may shed light on the issue. I have three servers that are members of the DFS shares. I manually created a folder on the D drives called TASCT-Shares. I told DFS to use this as the root and replicate between the three. I added admins with full control and Everyone as read only. I also shared this folder in Windows with those permissions (so you could navigate to it using the server name rather than the namespace if needed). I have folder structures in other places on the server that I was planning on moving within this new DFS structure. I figured I would create the root structure in which Everyone can see but not modify, ( for example department folders HR, Finance, Engineering). Then I would set those folders to NOT inherit permissions from the parent root, share them, and add the users as needed. Then I would dump the already existing folders from other locations in their respective sub-folders in the root and the permissions that they had would carry over??? If this is not possible does anyone have a quick how-to, to make this happen? Basically I need to reorganize and move my non-DFS folders I want to be in DFS. I don't want to add them in DFS where they exist now.


        • #5
          Re: DFS Permissions Child Folders

          I feel there is some confusion about DFS roots - there is no need to put everything you wish to share within the root.
          In fact, the root should really only contain links to shares on other servers

          For example:
          Create DFS root on a DC as \\domain.corp\DFS (does not have to be on the DC)
          Share folder on server as \\servername\DataShare (set permissions as required on share)
          Add link to DFS root so users can see \\domain.corp\DFS\DataShare
          Add additional copies of share and enable DFS replication

          The result is that users are not aware of which server the share is on, only how to get to the root

          So basically you do not have to physically put the shares inside the DFS root...
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd

          ** Remember to give credit where credit is due and leave reputation points where appropriate **


          • #6
            Re: DFS Permissions Child Folders

            Also, your Share permissions determine what people are able to do when they access those shares. If you set the share permissions to read only those permissions will apply regardless of what else you specify in the folder security. Disabling inheritance of permissions disables folder security inheritance so that permissions applied further up the path towards the root of the drive are not passed to the folder in question - it 'breaks' the flow and you can then edit them or remove them as required. You can't disable Share permission inheritance. Folder security and share permissions are very different.

            I usually set the permissions on the share to allow full control for groups that need to modify data and then set the appropriate permissions on the folder security as required. You can set Everyone to full control on the Share permissions and then set Everyone on read only or modify or full control as required on the folder security.

            Adding a UNC share path to DFS does not affect the security you set up.
            A recent poll suggests that 6 out of 7 dwarfs are not happy