Windows Vista Tips

Windows Vista Tips > Newsgroups > Windows Server > File Systems > Problem hiding shares in DFS

Reply
Thread Tools Display Modes

Problem hiding shares in DFS

 
 
Raymond Verstegen
Guest
Posts: n/a

 
      04-06-2009
We are using Windows 2003.
Old configuration:
We had a cluster share for example groups$ refering to c:\groups.
Under c:\groups where a lot of subfolders for the different departments.
User only got to see the shares they had access to.

We made shares (in the cluster administrator) for all folders under
c:\groups (groupaccounting$ referring to c:\groups\accounting, groupfinance$
referring to d:\groups\finance) ect ect.
I made in DFS a Groups\Finance and a Groups\Accounting.

Now the accounting group can see the finance group even though they can't
access it.
I turned on Access-based Enumeration for both folders, and created a
Generic application in the Cluster aministrator: "cmd /k abecmd /enable
groupaccounting$"
I did this vor all shares but still everyone can see all shares in the
groups, even the ones they dont have access to.

Any ideas how to hide the shares for people who dont have access to them?
 
Reply With Quote
 
 
 
 
Isaac Oben [MCITP:EA, MCSE]
Guest
Posts: n/a

 
      04-06-2009
Hello Raymond,

Assuming you are using domain based dfs and you have ABE installed and
enabled on the main share, try

CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C (this
will depend on the rights, F= full etc)

Isaac

"Raymond Verstegen" <Raymond > wrote in
message news:FEF4295E-0945-4E31-A7A8-...
> We are using Windows 2003.
> Old configuration:
> We had a cluster share for example groups$ refering to c:\groups.
> Under c:\groups where a lot of subfolders for the different departments.
> User only got to see the shares they had access to.
>
> We made shares (in the cluster administrator) for all folders under
> c:\groups (groupaccounting$ referring to c:\groups\accounting,
> groupfinance$
> referring to d:\groups\finance) ect ect.
> I made in DFS a Groups\Finance and a Groups\Accounting.
>
> Now the accounting group can see the finance group even though they can't
> access it.
> I turned on Access-based Enumeration for both folders, and created a
> Generic application in the Cluster aministrator: "cmd /k abecmd /enable
> groupaccounting$"
> I did this vor all shares but still everyone can see all shares in the
> groups, even the ones they dont have access to.
>
> Any ideas how to hide the shares for people who dont have access to them?



 
Reply With Quote
 
 
 
 
Raymond Verstegen
Guest
Posts: n/a

 
      04-06-2009
Hi Isaac,

Thanks for the fast reply.
The accounting department already has access to the accounting share, and
the finance department to their share.
The problem is, is that the accounting deparment sees the finance share, and
the other way around.


"Isaac Oben [MCITP:EA, MCSE]" wrote:

> Hello Raymond,
>
> Assuming you are using domain based dfs and you have ABE installed and
> enabled on the main share, try
>
> CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C (this
> will depend on the rights, F= full etc)
>
> Isaac
>
> "Raymond Verstegen" <Raymond > wrote in
> message news:FEF4295E-0945-4E31-A7A8-...
> > We are using Windows 2003.
> > Old configuration:
> > We had a cluster share for example groups$ refering to c:\groups.
> > Under c:\groups where a lot of subfolders for the different departments.
> > User only got to see the shares they had access to.
> >
> > We made shares (in the cluster administrator) for all folders under
> > c:\groups (groupaccounting$ referring to c:\groups\accounting,
> > groupfinance$
> > referring to d:\groups\finance) ect ect.
> > I made in DFS a Groups\Finance and a Groups\Accounting.
> >
> > Now the accounting group can see the finance group even though they can't
> > access it.
> > I turned on Access-based Enumeration for both folders, and created a
> > Generic application in the Cluster aministrator: "cmd /k abecmd /enable
> > groupaccounting$"
> > I did this vor all shares but still everyone can see all shares in the
> > groups, even the ones they dont have access to.
> >
> > Any ideas how to hide the shares for people who dont have access to them?

>
>
>

 
Reply With Quote
 
DaveMills
Guest
Posts: n/a

 
      04-06-2009
Isaac is referring to the permissions on the DFS link not on the target folder.
For any DFS access there of two NTFS permissions involved, those on the physical
link (reparse point) C:\DFSRoot\Groups\Accounting and those at the target
c:\groups\accounting. ABE in DFS displays the Link because the permission on the
links are "read" even though the permissions on the target are "deny".

Please note also that there were a number of patches regarding ABE on W2003 so
make sure the server is on the latest SP and fully patched. I don't recall the
KB numbers.




On Mon, 6 Apr 2009 05:20:08 -0700, Raymond Verstegen
<> wrote:

>Hi Isaac,
>
>Thanks for the fast reply.
>The accounting department already has access to the accounting share, and
>the finance department to their share.
>The problem is, is that the accounting deparment sees the finance share, and
>the other way around.
>
>
>"Isaac Oben [MCITP:EA, MCSE]" wrote:
>
>> Hello Raymond,
>>
>> Assuming you are using domain based dfs and you have ABE installed and
>> enabled on the main share, try
>>
>> CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C (this
>> will depend on the rights, F= full etc)
>>
>> Isaac
>>
>> "Raymond Verstegen" <Raymond > wrote in
>> message news:FEF4295E-0945-4E31-A7A8-...
>> > We are using Windows 2003.
>> > Old configuration:
>> > We had a cluster share for example groups$ refering to c:\groups.
>> > Under c:\groups where a lot of subfolders for the different departments.
>> > User only got to see the shares they had access to.
>> >
>> > We made shares (in the cluster administrator) for all folders under
>> > c:\groups (groupaccounting$ referring to c:\groups\accounting,
>> > groupfinance$
>> > referring to d:\groups\finance) ect ect.
>> > I made in DFS a Groups\Finance and a Groups\Accounting.
>> >
>> > Now the accounting group can see the finance group even though they can't
>> > access it.
>> > I turned on Access-based Enumeration for both folders, and created a
>> > Generic application in the Cluster aministrator: "cmd /k abecmd /enable
>> > groupaccounting$"
>> > I did this vor all shares but still everyone can see all shares in the
>> > groups, even the ones they dont have access to.
>> >
>> > Any ideas how to hide the shares for people who dont have access to them?

>>
>>
>>

--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
 
Reply With Quote
 
Isaac Oben [MCITP:EA, MCSE]
Guest
Posts: n/a

 
      04-07-2009
Hello Raymond,

I might not have been clear with my previous post.

Make sure ABE is installed on all server hosting DFS.
Turn on ABE on "Group"' Share by checking box "enable access-based
enumeration on this shared folder"
Make sure "Accounting and Finance" are properly shared and ntfs permissions
are in place. For the Accounting Share, I will give Full Control to
Accounting Users, System, Administrator, Owner creator, and remove
everytihng else, add Users (Domain.com\Users) and grant following
permissions
List Folder / Read Data
Read Attributes
Read Extended Attributes

Now apply ACL to the Accounting and Financing Folders (Ghost folders)
CACLS C:\Groups\Accounting /E /G DomainName\Accounting:C
and
CACLS C:\Groups\Finance /E /G DomainName\Finance:C

Your ABE for DFS should be good now

Hope this helps

Isaac


"Raymond Verstegen" <> wrote in
message news:B9B22130-232F-45E6-8B41-...
> Hi Isaac,
>
> Thanks for the fast reply.
> The accounting department already has access to the accounting share, and
> the finance department to their share.
> The problem is, is that the accounting deparment sees the finance share,
> and
> the other way around.
>
>
> "Isaac Oben [MCITP:EA, MCSE]" wrote:
>
>> Hello Raymond,
>>
>> Assuming you are using domain based dfs and you have ABE installed and
>> enabled on the main share, try
>>
>> CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C
>> (this
>> will depend on the rights, F= full etc)
>>
>> Isaac
>>
>> "Raymond Verstegen" <Raymond > wrote
>> in
>> message news:FEF4295E-0945-4E31-A7A8-...
>> > We are using Windows 2003.
>> > Old configuration:
>> > We had a cluster share for example groups$ refering to c:\groups.
>> > Under c:\groups where a lot of subfolders for the different
>> > departments.
>> > User only got to see the shares they had access to.
>> >
>> > We made shares (in the cluster administrator) for all folders under
>> > c:\groups (groupaccounting$ referring to c:\groups\accounting,
>> > groupfinance$
>> > referring to d:\groups\finance) ect ect.
>> > I made in DFS a Groups\Finance and a Groups\Accounting.
>> >
>> > Now the accounting group can see the finance group even though they
>> > can't
>> > access it.
>> > I turned on Access-based Enumeration for both folders, and created a
>> > Generic application in the Cluster aministrator: "cmd /k abecmd /enable
>> > groupaccounting$"
>> > I did this vor all shares but still everyone can see all shares in the
>> > groups, even the ones they dont have access to.
>> >
>> > Any ideas how to hide the shares for people who dont have access to
>> > them?

>>
>>
>>



 
Reply With Quote
 
Raymond Verstegen
Guest
Posts: n/a

 
      04-07-2009
Im not sharing the group folder, only the folders in the group folder.
In the old situation i shared the group folder, since all subfolders where
there.
There everything worked as inteded.
now im not sharing the group folder anymore, because all subfolders are not
only in the group folder anymore, but devided on different discs/partitions.
So in DFS i created groups/accounting pointing is to c:\groups\accounting.
But if would share the groups (c:\groups) folder the folder
d:\groups\finance wouldn't be vissible


"Isaac Oben [MCITP:EA, MCSE]" wrote:

> Hello Raymond,
>
> I might not have been clear with my previous post.
>
> Make sure ABE is installed on all server hosting DFS.
> Turn on ABE on "Group"' Share by checking box "enable access-based
> enumeration on this shared folder"
> Make sure "Accounting and Finance" are properly shared and ntfs permissions
> are in place. For the Accounting Share, I will give Full Control to
> Accounting Users, System, Administrator, Owner creator, and remove
> everytihng else, add Users (Domain.com\Users) and grant following
> permissions
> List Folder / Read Data
> Read Attributes
> Read Extended Attributes
>
> Now apply ACL to the Accounting and Financing Folders (Ghost folders)
> CACLS C:\Groups\Accounting /E /G DomainName\Accounting:C
> and
> CACLS C:\Groups\Finance /E /G DomainName\Finance:C
>
> Your ABE for DFS should be good now
>
> Hope this helps
>
> Isaac
>
>
> "Raymond Verstegen" <> wrote in
> message news:B9B22130-232F-45E6-8B41-...
> > Hi Isaac,
> >
> > Thanks for the fast reply.
> > The accounting department already has access to the accounting share, and
> > the finance department to their share.
> > The problem is, is that the accounting deparment sees the finance share,
> > and
> > the other way around.
> >
> >
> > "Isaac Oben [MCITP:EA, MCSE]" wrote:
> >
> >> Hello Raymond,
> >>
> >> Assuming you are using domain based dfs and you have ABE installed and
> >> enabled on the main share, try
> >>
> >> CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C
> >> (this
> >> will depend on the rights, F= full etc)
> >>
> >> Isaac
> >>
> >> "Raymond Verstegen" <Raymond > wrote
> >> in
> >> message news:FEF4295E-0945-4E31-A7A8-...
> >> > We are using Windows 2003.
> >> > Old configuration:
> >> > We had a cluster share for example groups$ refering to c:\groups.
> >> > Under c:\groups where a lot of subfolders for the different
> >> > departments.
> >> > User only got to see the shares they had access to.
> >> >
> >> > We made shares (in the cluster administrator) for all folders under
> >> > c:\groups (groupaccounting$ referring to c:\groups\accounting,
> >> > groupfinance$
> >> > referring to d:\groups\finance) ect ect.
> >> > I made in DFS a Groups\Finance and a Groups\Accounting.
> >> >
> >> > Now the accounting group can see the finance group even though they
> >> > can't
> >> > access it.
> >> > I turned on Access-based Enumeration for both folders, and created a
> >> > Generic application in the Cluster aministrator: "cmd /k abecmd /enable
> >> > groupaccounting$"
> >> > I did this vor all shares but still everyone can see all shares in the
> >> > groups, even the ones they dont have access to.
> >> >
> >> > Any ideas how to hide the shares for people who dont have access to
> >> > them?
> >>
> >>
> >>

>
>
>

 
Reply With Quote
 
Isaac Oben [MCITP:EA, MCSE]
Guest
Posts: n/a

 
      04-07-2009
Hello Raymond,
Then turn on ABE on the Accounting and Finance Shared folders

CACLS C:\Accounting /E /G DomainName\Accounting:C
and
CACLS C:\Finance /E /G DomainName\Finance:C

Hope this helps,

Isaac

"Raymond Verstegen" <> wrote in
message news:81151D24-F83F-4135-B59A-...
> Im not sharing the group folder, only the folders in the group folder.
> In the old situation i shared the group folder, since all subfolders where
> there.
> There everything worked as inteded.
> now im not sharing the group folder anymore, because all subfolders are
> not
> only in the group folder anymore, but devided on different
> discs/partitions.
> So in DFS i created groups/accounting pointing is to c:\groups\accounting.
> But if would share the groups (c:\groups) folder the folder
> d:\groups\finance wouldn't be vissible
>
>
> "Isaac Oben [MCITP:EA, MCSE]" wrote:
>
>> Hello Raymond,
>>
>> I might not have been clear with my previous post.
>>
>> Make sure ABE is installed on all server hosting DFS.
>> Turn on ABE on "Group"' Share by checking box "enable access-based
>> enumeration on this shared folder"
>> Make sure "Accounting and Finance" are properly shared and ntfs
>> permissions
>> are in place. For the Accounting Share, I will give Full Control to
>> Accounting Users, System, Administrator, Owner creator, and remove
>> everytihng else, add Users (Domain.com\Users) and grant following
>> permissions
>> List Folder / Read Data
>> Read Attributes
>> Read Extended Attributes
>>
>> Now apply ACL to the Accounting and Financing Folders (Ghost folders)
>> CACLS C:\Groups\Accounting /E /G DomainName\Accounting:C
>> and
>> CACLS C:\Groups\Finance /E /G DomainName\Finance:C
>>
>> Your ABE for DFS should be good now
>>
>> Hope this helps
>>
>> Isaac
>>
>>
>> "Raymond Verstegen" <> wrote in
>> message news:B9B22130-232F-45E6-8B41-...
>> > Hi Isaac,
>> >
>> > Thanks for the fast reply.
>> > The accounting department already has access to the accounting share,
>> > and
>> > the finance department to their share.
>> > The problem is, is that the accounting deparment sees the finance
>> > share,
>> > and
>> > the other way around.
>> >
>> >
>> > "Isaac Oben [MCITP:EA, MCSE]" wrote:
>> >
>> >> Hello Raymond,
>> >>
>> >> Assuming you are using domain based dfs and you have ABE installed and
>> >> enabled on the main share, try
>> >>
>> >> CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C
>> >> (this
>> >> will depend on the rights, F= full etc)
>> >>
>> >> Isaac
>> >>
>> >> "Raymond Verstegen" <Raymond >
>> >> wrote
>> >> in
>> >> message news:FEF4295E-0945-4E31-A7A8-...
>> >> > We are using Windows 2003.
>> >> > Old configuration:
>> >> > We had a cluster share for example groups$ refering to c:\groups.
>> >> > Under c:\groups where a lot of subfolders for the different
>> >> > departments.
>> >> > User only got to see the shares they had access to.
>> >> >
>> >> > We made shares (in the cluster administrator) for all folders under
>> >> > c:\groups (groupaccounting$ referring to c:\groups\accounting,
>> >> > groupfinance$
>> >> > referring to d:\groups\finance) ect ect.
>> >> > I made in DFS a Groups\Finance and a Groups\Accounting.
>> >> >
>> >> > Now the accounting group can see the finance group even though they
>> >> > can't
>> >> > access it.
>> >> > I turned on Access-based Enumeration for both folders, and created
>> >> > a
>> >> > Generic application in the Cluster aministrator: "cmd /k abecmd
>> >> > /enable
>> >> > groupaccounting$"
>> >> > I did this vor all shares but still everyone can see all shares in
>> >> > the
>> >> > groups, even the ones they dont have access to.
>> >> >
>> >> > Any ideas how to hide the shares for people who dont have access to
>> >> > them?
>> >>
>> >>
>> >>

>>
>>
>>



 
Reply With Quote
 
DaveMills
Guest
Posts: n/a

 
      04-07-2009
On Tue, 7 Apr 2009 02:47:01 -0700, Raymond Verstegen
<> wrote:

>Im not sharing the group folder, only the folders in the group folder.
>In the old situation i shared the group folder, since all subfolders where
>there.
>There everything worked as inteded.
>now im not sharing the group folder anymore, because all subfolders are not
>only in the group folder anymore, but devided on different discs/partitions.
>So in DFS i created groups/accounting pointing is to c:\groups\accounting.
>But if would share the groups (c:\groups) folder the folder
>d:\groups\finance wouldn't be vissible


Try this: Create a new folder in the DFS console called say "test". Do not add
any links. Now look at who can see that folder. I think you will find most can
see the new folder. This is the crux of the problem ABE is reacting to the NTFS
permissions on the folder. This persists even after you add links, even though
the user cannot access the link target.

>
>
>"Isaac Oben [MCITP:EA, MCSE]" wrote:
>
>> Hello Raymond,
>>
>> I might not have been clear with my previous post.
>>
>> Make sure ABE is installed on all server hosting DFS.
>> Turn on ABE on "Group"' Share by checking box "enable access-based
>> enumeration on this shared folder"
>> Make sure "Accounting and Finance" are properly shared and ntfs permissions
>> are in place. For the Accounting Share, I will give Full Control to
>> Accounting Users, System, Administrator, Owner creator, and remove
>> everytihng else, add Users (Domain.com\Users) and grant following
>> permissions
>> List Folder / Read Data
>> Read Attributes
>> Read Extended Attributes
>>
>> Now apply ACL to the Accounting and Financing Folders (Ghost folders)
>> CACLS C:\Groups\Accounting /E /G DomainName\Accounting:C
>> and
>> CACLS C:\Groups\Finance /E /G DomainName\Finance:C
>>
>> Your ABE for DFS should be good now
>>
>> Hope this helps
>>
>> Isaac
>>
>>
>> "Raymond Verstegen" <> wrote in
>> message news:B9B22130-232F-45E6-8B41-...
>> > Hi Isaac,
>> >
>> > Thanks for the fast reply.
>> > The accounting department already has access to the accounting share, and
>> > the finance department to their share.
>> > The problem is, is that the accounting deparment sees the finance share,
>> > and
>> > the other way around.
>> >
>> >
>> > "Isaac Oben [MCITP:EA, MCSE]" wrote:
>> >
>> >> Hello Raymond,
>> >>
>> >> Assuming you are using domain based dfs and you have ABE installed and
>> >> enabled on the main share, try
>> >>
>> >> CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C
>> >> (this
>> >> will depend on the rights, F= full etc)
>> >>
>> >> Isaac
>> >>
>> >> "Raymond Verstegen" <Raymond > wrote
>> >> in
>> >> message news:FEF4295E-0945-4E31-A7A8-...
>> >> > We are using Windows 2003.
>> >> > Old configuration:
>> >> > We had a cluster share for example groups$ refering to c:\groups.
>> >> > Under c:\groups where a lot of subfolders for the different
>> >> > departments.
>> >> > User only got to see the shares they had access to.
>> >> >
>> >> > We made shares (in the cluster administrator) for all folders under
>> >> > c:\groups (groupaccounting$ referring to c:\groups\accounting,
>> >> > groupfinance$
>> >> > referring to d:\groups\finance) ect ect.
>> >> > I made in DFS a Groups\Finance and a Groups\Accounting.
>> >> >
>> >> > Now the accounting group can see the finance group even though they
>> >> > can't
>> >> > access it.
>> >> > I turned on Access-based Enumeration for both folders, and created a
>> >> > Generic application in the Cluster aministrator: "cmd /k abecmd /enable
>> >> > groupaccounting$"
>> >> > I did this vor all shares but still everyone can see all shares in the
>> >> > groups, even the ones they dont have access to.
>> >> >
>> >> > Any ideas how to hide the shares for people who dont have access to
>> >> > them?
>> >>
>> >>
>> >>

>>
>>
>>

--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hiding Network Shares from listing George Windows Small Business Server 2 09-16-2007 09:50 PM
Hiding System Shares? Michael B Server Setup 1 02-09-2006 04:51 PM
Re: DFS, domain root - former DC/DFS Root host shares are displayed instead of DFS Root/AD shares Adam Landefeld File Systems 0 01-23-2006 06:53 PM
Hiding Shares USBC_GT Windows Server 4 07-23-2004 05:34 PM
Win2003: Hiding shares in Net Neighborhood dsmcd Active Directory 3 02-26-2004 11:52 PM