DFS Access Based Enumeration ABE

I am trying to implement ABE on a DFS root. I have ran the dfsutil and
enabled ABE for the DFS root. dfsutil property ABE <DFSPath>. It says it is
now enabled my test user account can still see all folders. This test user
account does not have permissions on the target folders. What am I missing?

Hi Rich,

I was having the same problem, i could'nt find anything on the net, this is
what i came up with after several hours of searching :

1. Enable the ABE on the DFSpath

dfsutil property ABE <DFSPath>

2. Get rid of any group at the toplevel that includes users. I had my
dfsroots created on the c: drive and the users group was herited down to mys
dfs links, so the user saw every link. After deleting the users group, i
did'nt see any link.

3. You can set the right on the link with

dfsutil property ACL grant \\contoso.com\DomainNamespace1\Link1
CONTOSO\UserId:R

Read right is enough, it is just used for the ABE to have access to it,
afterwards the rigths of the linked share are taken into account

After this it seems to work

Thanks for the reply. I was hoping that it would refer to the folder
permissions and not require that I have to set file permissions on the links
themselves. I have hundreds of folder links that I will need to set
permissions on which will call for creating a script to read in the current
folder perms and then applying them to the links. Something that to me
doesnt make sense that it would not be using the folder permissions for ABE.
Thanks again.

"pwijnants" wrote:

> Hi Rich,
>
> I was having the same problem, i could'nt find anything on the net, this is
> what i came up with after several hours of searching :
>
> 1. Enable the ABE on the DFSpath
>
> dfsutil property ABE <DFSPath>
>
> 2. Get rid of any group at the toplevel that includes users. I had my
> dfsroots created on the c: drive and the users group was herited down to mys
> dfs links, so the user saw every link. After deleting the users group, i
> did'nt see any link.
>
> 3. You can set the right on the link with
>
> dfsutil property ACL grant \\contoso.com\DomainNamespace1\Link1
> CONTOSO\UserId:R
>
> Read right is enough, it is just used for the ABE to have access to it,
> afterwards the rigths of the linked share are taken into account
>
> After this it seems to work
>
>
>

I too have the same problem with DFS and ABE. What you will find annoying is
that rebooting your DFS server will reset the custom DFS ACL's and disable
ABE on all DFS folder targets. This seems like a big bug to me and had i
known i would not have implemented DFS for my company. My saving grace is
that i use Window server 2008 DC's with DFS running in native mode. The DC's
are hardly rebooted so i have time to possibly create a script to
automatically apply acls. However, common sense tells me that dfs links
should copy dfs target acls.

Thanks
Sandee


"Rich" wrote:

> Thanks for the reply. I was hoping that it would refer to the folder
> permissions and not require that I have to set file permissions on the links
> themselves. I have hundreds of folder links that I will need to set
> permissions on which will call for creating a script to read in the current
> folder perms and then applying them to the links. Something that to me
> doesnt make sense that it would not be using the folder permissions for ABE.
> Thanks again.
>
> "pwijnants" wrote:
>
> > Hi Rich,
> >
> > I was having the same problem, i could'nt find anything on the net, this is
> > what i came up with after several hours of searching :
> >
> > 1. Enable the ABE on the DFSpath
> >
> > dfsutil property ABE <DFSPath>
> >
> > 2. Get rid of any group at the toplevel that includes users. I had my
> > dfsroots created on the c: drive and the users group was herited down to mys
> > dfs links, so the user saw every link. After deleting the users group, i
> > did'nt see any link.
> >
> > 3. You can set the right on the link with
> >
> > dfsutil property ACL grant \\contoso.com\DomainNamespace1\Link1
> > CONTOSO\UserId:R
> >
> > Read right is enough, it is just used for the ABE to have access to it,
> > afterwards the rigths of the linked share are taken into account
> >
> > After this it seems to work
> >
> >
> >

You need to have the same permissions on the share as in the dfsroot folder.

Set folder permissions (not share0 on the shared folder
Set the same permissions the DFS link that is created under your dfs root
folder. You can use cacls to set the permissions.

cacls dfs-share-name /e /g username:f

Stop/Start DFS


"Rich" wrote:

> I am trying to implement ABE on a DFS root. I have ran the dfsutil and
> enabled ABE for the DFS root. dfsutil property ABE <DFSPath>. It says it is
> now enabled my test user account can still see all folders. This test user
> account does not have permissions on the target folders. What am I missing?

I had the same problems with DFS resetting the ACLs on the folder links also.
It seems that cacls worked for 2003 but that appears to no longer be the case
with 2008. I found that you can keep the permissions from resetting if you
use the dfsutil to set the permission. So far I havent been able to find a
detailed doc that shows why and how to properly setup ABE with DFS.

dfsutil property ACL grant \\contoso.com\DomainNamespace1\Link1
CONTOSO\UserId:R



"Choodee" wrote:

> I too have the same problem with DFS and ABE. What you will find annoying is
> that rebooting your DFS server will reset the custom DFS ACL's and disable
> ABE on all DFS folder targets. This seems like a big bug to me and had i
> known i would not have implemented DFS for my company. My saving grace is
> that i use Window server 2008 DC's with DFS running in native mode. The DC's
> are hardly rebooted so i have time to possibly create a script to
> automatically apply acls. However, common sense tells me that dfs links
> should copy dfs target acls.
>
> Thanks
> Sandee
>
>
> "Rich" wrote:
>
> > Thanks for the reply. I was hoping that it would refer to the folder
> > permissions and not require that I have to set file permissions on the links
> > themselves. I have hundreds of folder links that I will need to set
> > permissions on which will call for creating a script to read in the current
> > folder perms and then applying them to the links. Something that to me
> > doesnt make sense that it would not be using the folder permissions for ABE.
> > Thanks again.
> >
> > "pwijnants" wrote:
> >
> > > Hi Rich,
> > >
> > > I was having the same problem, i could'nt find anything on the net, this is
> > > what i came up with after several hours of searching :
> > >
> > > 1. Enable the ABE on the DFSpath
> > >
> > > dfsutil property ABE <DFSPath>
> > >
> > > 2. Get rid of any group at the toplevel that includes users. I had my
> > > dfsroots created on the c: drive and the users group was herited down to mys
> > > dfs links, so the user saw every link. After deleting the users group, i
> > > did'nt see any link.
> > >
> > > 3. You can set the right on the link with
> > >
> > > dfsutil property ACL grant \\contoso.com\DomainNamespace1\Link1
> > > CONTOSO\UserId:R
> > >
> > > Read right is enough, it is just used for the ABE to have access to it,
> > > afterwards the rigths of the linked share are taken into account
> > >
> > > After this it seems to work
> > >
> > >
> > >

Oh i just found something else out playing around with some scripts. It
looks like it would be possible to grab the security info from the folders
using ICACLS and then pipe the SDDL results into the dfsutil command. This
would allow me to set the permissions and resync them later on a few hundred
folder links all at once. I will post a example of script if it works.
Thanks.

"Rich" wrote:

> I had the same problems with DFS resetting the ACLs on the folder links also.
> It seems that cacls worked for 2003 but that appears to no longer be the case
> with 2008. I found that you can keep the permissions from resetting if you
> use the dfsutil to set the permission. So far I havent been able to find a
> detailed doc that shows why and how to properly setup ABE with DFS.
>
> dfsutil property ACL grant \\contoso.com\DomainNamespace1\Link1
> CONTOSO\UserId:R
>
>
>
> "Choodee" wrote:
>
> > I too have the same problem with DFS and ABE. What you will find annoying is
> > that rebooting your DFS server will reset the custom DFS ACL's and disable
> > ABE on all DFS folder targets. This seems like a big bug to me and had i
> > known i would not have implemented DFS for my company. My saving grace is
> > that i use Window server 2008 DC's with DFS running in native mode. The DC's
> > are hardly rebooted so i have time to possibly create a script to
> > automatically apply acls. However, common sense tells me that dfs links
> > should copy dfs target acls.
> >
> > Thanks
> > Sandee
> >
> >
> > "Rich" wrote:
> >
> > > Thanks for the reply. I was hoping that it would refer to the folder
> > > permissions and not require that I have to set file permissions on the links
> > > themselves. I have hundreds of folder links that I will need to set
> > > permissions on which will call for creating a script to read in the current
> > > folder perms and then applying them to the links. Something that to me
> > > doesnt make sense that it would not be using the folder permissions for ABE.
> > > Thanks again.
> > >
> > > "pwijnants" wrote:
> > >
> > > > Hi Rich,
> > > >
> > > > I was having the same problem, i could'nt find anything on the net, this is
> > > > what i came up with after several hours of searching :
> > > >
> > > > 1. Enable the ABE on the DFSpath
> > > >
> > > > dfsutil property ABE <DFSPath>
> > > >
> > > > 2. Get rid of any group at the toplevel that includes users. I had my
> > > > dfsroots created on the c: drive and the users group was herited down to mys
> > > > dfs links, so the user saw every link. After deleting the users group, i
> > > > did'nt see any link.
> > > >
> > > > 3. You can set the right on the link with
> > > >
> > > > dfsutil property ACL grant \\contoso.com\DomainNamespace1\Link1
> > > > CONTOSO\UserId:R
> > > >
> > > > Read right is enough, it is just used for the ABE to have access to it,
> > > > afterwards the rigths of the linked share are taken into account
> > > >
> > > > After this it seems to work
> > > >
> > > >
> > > >

Made this script to take care of the permissions on the folder links. It
will take the permissions from the shared folders using icacls and then feed
it into the dfsutil utility to set the permissions on the folder links.
Working so far even after rebooting.

Create a \ACLs dir in your script dir before running.

Const FOR_READING = 1
Const OpenAsDefault = -2
Const FailIfNotExist = 0
strFolder = "F:\SharedVol1" 'folder shares
strDestination = "e:\DFSRoots\Shared" 'folder links
strDFSPath = "\\server\shared\"


Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShell = WScript.CreateObject("WScript.Shell")
Set objFolder = objFSO.GetFolder(strFolder)
WScript.Echo objFolder.Path
Set colSubFolders = objFolder.SubFolders

For Each objFolder In colSubFolders

'objShell.Run("cmd /c icacls " & Chr(34)& objFolder & Chr(34) & " /save " &
Chr(34) & ".\ACLs\" & objFolder.Name & ".bin" & Chr(34)& " /L"),1,False
'wscript.echo "cmd /k icacls " & Chr(34) & objFolder & Chr(34) & " /save "
& Chr(34) & ".\ACLs\" & objFolder.Name & ".bin" & Chr(34)& " /L"

Next

strPresent = "D:" 'Identifies the read line as a DACL
For Each objFolder In colSubFolders
strBinFile = ".\ACLs\" & ObjFolder.Name & ".bin"
wscript.echo strBinFile

Set objFile = ObjFSO.OpenTextFile(strBinFile , FOR_READING, FailIfNotExist,
OpenAsDefault)

Do Until objFile.AtEndOfStream
strSDDL = objFile.ReadLine
wscript.echo strSDDL
If InStr(Left(strSDDL, 2),strPresent)= 1 Then
objShell.Run("cmd /c dfsutil property ACL set " & Chr(34) & strDFSPath &
objFolder.Name & Chr(34) & " " & strSDDL)
wscript.echo "cmd /c dfsutil property ACL set " & Chr(34) & strDFSPath &
objFolder.Name & Chr(34) & strSDDL
Else
'Wscript.Echo "Line is not needed: " & strSDDL
End If
Loop

objFile.Close
Next


"Rich" wrote:

> Oh i just found something else out playing around with some scripts. It
> looks like it would be possible to grab the security info from the folders
> using ICACLS and then pipe the SDDL results into the dfsutil command. This
> would allow me to set the permissions and resync them later on a few hundred
> folder links all at once. I will post a example of script if it works.
> Thanks.
>
> "Rich" wrote:
>
> > I had the same problems with DFS resetting the ACLs on the folder links also.
> > It seems that cacls worked for 2003 but that appears to no longer be the case
> > with 2008. I found that you can keep the permissions from resetting if you
> > use the dfsutil to set the permission. So far I havent been able to find a
> > detailed doc that shows why and how to properly setup ABE with DFS.
> >
> > dfsutil property ACL grant \\contoso.com\DomainNamespace1\Link1
> > CONTOSO\UserId:R
> >
> >
> >
> > "Choodee" wrote:
> >
> > > I too have the same problem with DFS and ABE. What you will find annoying is
> > > that rebooting your DFS server will reset the custom DFS ACL's and disable
> > > ABE on all DFS folder targets. This seems like a big bug to me and had i
> > > known i would not have implemented DFS for my company. My saving grace is
> > > that i use Window server 2008 DC's with DFS running in native mode. The DC's
> > > are hardly rebooted so i have time to possibly create a script to
> > > automatically apply acls. However, common sense tells me that dfs links
> > > should copy dfs target acls.
> > >
> > > Thanks
> > > Sandee
> > >
> > >
> > > "Rich" wrote:
> > >
> > > > Thanks for the reply. I was hoping that it would refer to the folder
> > > > permissions and not require that I have to set file permissions on the links
> > > > themselves. I have hundreds of folder links that I will need to set
> > > > permissions on which will call for creating a script to read in the current
> > > > folder perms and then applying them to the links. Something that to me
> > > > doesnt make sense that it would not be using the folder permissions for ABE.
> > > > Thanks again.
> > > >
> > > > "pwijnants" wrote:
> > > >
> > > > > Hi Rich,
> > > > >
> > > > > I was having the same problem, i could'nt find anything on the net, this is
> > > > > what i came up with after several hours of searching :
> > > > >
> > > > > 1. Enable the ABE on the DFSpath
> > > > >
> > > > > dfsutil property ABE <DFSPath>
> > > > >
> > > > > 2. Get rid of any group at the toplevel that includes users. I had my
> > > > > dfsroots created on the c: drive and the users group was herited down to mys
> > > > > dfs links, so the user saw every link. After deleting the users group, i
> > > > > did'nt see any link.
> > > > >
> > > > > 3. You can set the right on the link with
> > > > >
> > > > > dfsutil property ACL grant \\contoso.com\DomainNamespace1\Link1
> > > > > CONTOSO\UserId:R
> > > > >
> > > > > Read right is enough, it is just used for the ABE to have access to it,
> > > > > afterwards the rigths of the linked share are taken into account
> > > > >
> > > > > After this it seems to work
> > > > >
> > > > >
> > > > >

Hey Rich, this might not help, as my setup is a bit different from yours:
I've only got a couple of links, so I enabled ABE on the target shares
themselves on the file-servers. That suited me, as I wasn't trying to hide
the DFS folders, just the folders within the targets.


"Rich" wrote:

I have hundreds of folder links that I will need to set permissions on...