Problem hiding shares in DFS

We are using Windows 2003.
Old configuration:
We had a cluster share for example groups$ refering to c:\groups.
Under c:\groups where a lot of subfolders for the different departments.
User only got to see the shares they had access to.

We made shares (in the cluster administrator) for all folders under
c:\groups (groupaccounting$ referring to c:\groups\accounting, groupfinance$
referring to d:\groups\finance) ect ect.
I made in DFS a Groups\Finance and a Groups\Accounting.

Now the accounting group can see the finance group even though they can't
access it.
I turned on Access-based Enumeration for both folders, and created a
Generic application in the Cluster aministrator: "cmd /k abecmd /enable
groupaccounting$"
I did this vor all shares but still everyone can see all shares in the
groups, even the ones they dont have access to.

Any ideas how to hide the shares for people who dont have access to them?

Hello Raymond,

Assuming you are using domain based dfs and you have ABE installed and
enabled on the main share, try

CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C (this
will depend on the rights, F= full etc)

Isaac

"Raymond Verstegen" <Raymond > wrote in
message news:FEF4295E-0945-4E31-A7A8-...
> We are using Windows 2003.
> Old configuration:
> We had a cluster share for example groups$ refering to c:\groups.
> Under c:\groups where a lot of subfolders for the different departments.
> User only got to see the shares they had access to.
>
> We made shares (in the cluster administrator) for all folders under
> c:\groups (groupaccounting$ referring to c:\groups\accounting,
> groupfinance$
> referring to d:\groups\finance) ect ect.
> I made in DFS a Groups\Finance and a Groups\Accounting.
>
> Now the accounting group can see the finance group even though they can't
> access it.
> I turned on Access-based Enumeration for both folders, and created a
> Generic application in the Cluster aministrator: "cmd /k abecmd /enable
> groupaccounting$"
> I did this vor all shares but still everyone can see all shares in the
> groups, even the ones they dont have access to.
>
> Any ideas how to hide the shares for people who dont have access to them?

Hi Isaac,

Thanks for the fast reply.
The accounting department already has access to the accounting share, and
the finance department to their share.
The problem is, is that the accounting deparment sees the finance share, and
the other way around.


"Isaac Oben [MCITP:EA, MCSE]" wrote:

> Hello Raymond,
>
> Assuming you are using domain based dfs and you have ABE installed and
> enabled on the main share, try
>
> CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C (this
> will depend on the rights, F= full etc)
>
> Isaac
>
> "Raymond Verstegen" <Raymond > wrote in
> message news:FEF4295E-0945-4E31-A7A8-...
> > We are using Windows 2003.
> > Old configuration:
> > We had a cluster share for example groups$ refering to c:\groups.
> > Under c:\groups where a lot of subfolders for the different departments.
> > User only got to see the shares they had access to.
> >
> > We made shares (in the cluster administrator) for all folders under
> > c:\groups (groupaccounting$ referring to c:\groups\accounting,
> > groupfinance$
> > referring to d:\groups\finance) ect ect.
> > I made in DFS a Groups\Finance and a Groups\Accounting.
> >
> > Now the accounting group can see the finance group even though they can't
> > access it.
> > I turned on Access-based Enumeration for both folders, and created a
> > Generic application in the Cluster aministrator: "cmd /k abecmd /enable
> > groupaccounting$"
> > I did this vor all shares but still everyone can see all shares in the
> > groups, even the ones they dont have access to.
> >
> > Any ideas how to hide the shares for people who dont have access to them?
>
>
>

Isaac is referring to the permissions on the DFS link not on the target folder.
For any DFS access there of two NTFS permissions involved, those on the physical
link (reparse point) C:\DFSRoot\Groups\Accounting and those at the target
c:\groups\accounting. ABE in DFS displays the Link because the permission on the
links are "read" even though the permissions on the target are "deny".

Please note also that there were a number of patches regarding ABE on W2003 so
make sure the server is on the latest SP and fully patched. I don't recall the
KB numbers.




On Mon, 6 Apr 2009 05:20:08 -0700, Raymond Verstegen
<> wrote:

>Hi Isaac,
>
>Thanks for the fast reply.
>The accounting department already has access to the accounting share, and
>the finance department to their share.
>The problem is, is that the accounting deparment sees the finance share, and
>the other way around.
>
>
>"Isaac Oben [MCITP:EA, MCSE]" wrote:
>
>> Hello Raymond,
>>
>> Assuming you are using domain based dfs and you have ABE installed and
>> enabled on the main share, try
>>
>> CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C (this
>> will depend on the rights, F= full etc)
>>
>> Isaac
>>
>> "Raymond Verstegen" <Raymond > wrote in
>> message news:FEF4295E-0945-4E31-A7A8-...
>> > We are using Windows 2003.
>> > Old configuration:
>> > We had a cluster share for example groups$ refering to c:\groups.
>> > Under c:\groups where a lot of subfolders for the different departments.
>> > User only got to see the shares they had access to.
>> >
>> > We made shares (in the cluster administrator) for all folders under
>> > c:\groups (groupaccounting$ referring to c:\groups\accounting,
>> > groupfinance$
>> > referring to d:\groups\finance) ect ect.
>> > I made in DFS a Groups\Finance and a Groups\Accounting.
>> >
>> > Now the accounting group can see the finance group even though they can't
>> > access it.
>> > I turned on Access-based Enumeration for both folders, and created a
>> > Generic application in the Cluster aministrator: "cmd /k abecmd /enable
>> > groupaccounting$"
>> > I did this vor all shares but still everyone can see all shares in the
>> > groups, even the ones they dont have access to.
>> >
>> > Any ideas how to hide the shares for people who dont have access to them?
>>
>>
>>
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.

Hello Raymond,

I might not have been clear with my previous post.

Make sure ABE is installed on all server hosting DFS.
Turn on ABE on "Group"' Share by checking box "enable access-based
enumeration on this shared folder"
Make sure "Accounting and Finance" are properly shared and ntfs permissions
are in place. For the Accounting Share, I will give Full Control to
Accounting Users, System, Administrator, Owner creator, and remove
everytihng else, add Users (Domain.com\Users) and grant following
permissions
List Folder / Read Data
Read Attributes
Read Extended Attributes

Now apply ACL to the Accounting and Financing Folders (Ghost folders)
CACLS C:\Groups\Accounting /E /G DomainName\Accounting:C
and
CACLS C:\Groups\Finance /E /G DomainName\Finance:C

Your ABE for DFS should be good now

Hope this helps

Isaac


"Raymond Verstegen" <> wrote in
message news:B9B22130-232F-45E6-8B41-...
> Hi Isaac,
>
> Thanks for the fast reply.
> The accounting department already has access to the accounting share, and
> the finance department to their share.
> The problem is, is that the accounting deparment sees the finance share,
> and
> the other way around.
>
>
> "Isaac Oben [MCITP:EA, MCSE]" wrote:
>
>> Hello Raymond,
>>
>> Assuming you are using domain based dfs and you have ABE installed and
>> enabled on the main share, try
>>
>> CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C
>> (this
>> will depend on the rights, F= full etc)
>>
>> Isaac
>>
>> "Raymond Verstegen" <Raymond > wrote
>> in
>> message news:FEF4295E-0945-4E31-A7A8-...
>> > We are using Windows 2003.
>> > Old configuration:
>> > We had a cluster share for example groups$ refering to c:\groups.
>> > Under c:\groups where a lot of subfolders for the different
>> > departments.
>> > User only got to see the shares they had access to.
>> >
>> > We made shares (in the cluster administrator) for all folders under
>> > c:\groups (groupaccounting$ referring to c:\groups\accounting,
>> > groupfinance$
>> > referring to d:\groups\finance) ect ect.
>> > I made in DFS a Groups\Finance and a Groups\Accounting.
>> >
>> > Now the accounting group can see the finance group even though they
>> > can't
>> > access it.
>> > I turned on Access-based Enumeration for both folders, and created a
>> > Generic application in the Cluster aministrator: "cmd /k abecmd /enable
>> > groupaccounting$"
>> > I did this vor all shares but still everyone can see all shares in the
>> > groups, even the ones they dont have access to.
>> >
>> > Any ideas how to hide the shares for people who dont have access to
>> > them?
>>
>>
>>

Im not sharing the group folder, only the folders in the group folder.
In the old situation i shared the group folder, since all subfolders where
there.
There everything worked as inteded.
now im not sharing the group folder anymore, because all subfolders are not
only in the group folder anymore, but devided on different discs/partitions.
So in DFS i created groups/accounting pointing is to c:\groups\accounting.
But if would share the groups (c:\groups) folder the folder
d:\groups\finance wouldn't be vissible


"Isaac Oben [MCITP:EA, MCSE]" wrote:

> Hello Raymond,
>
> I might not have been clear with my previous post.
>
> Make sure ABE is installed on all server hosting DFS.
> Turn on ABE on "Group"' Share by checking box "enable access-based
> enumeration on this shared folder"
> Make sure "Accounting and Finance" are properly shared and ntfs permissions
> are in place. For the Accounting Share, I will give Full Control to
> Accounting Users, System, Administrator, Owner creator, and remove
> everytihng else, add Users (Domain.com\Users) and grant following
> permissions
> List Folder / Read Data
> Read Attributes
> Read Extended Attributes
>
> Now apply ACL to the Accounting and Financing Folders (Ghost folders)
> CACLS C:\Groups\Accounting /E /G DomainName\Accounting:C
> and
> CACLS C:\Groups\Finance /E /G DomainName\Finance:C
>
> Your ABE for DFS should be good now
>
> Hope this helps
>
> Isaac
>
>
> "Raymond Verstegen" <> wrote in
> message news:B9B22130-232F-45E6-8B41-...
> > Hi Isaac,
> >
> > Thanks for the fast reply.
> > The accounting department already has access to the accounting share, and
> > the finance department to their share.
> > The problem is, is that the accounting deparment sees the finance share,
> > and
> > the other way around.
> >
> >
> > "Isaac Oben [MCITP:EA, MCSE]" wrote:
> >
> >> Hello Raymond,
> >>
> >> Assuming you are using domain based dfs and you have ABE installed and
> >> enabled on the main share, try
> >>
> >> CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C
> >> (this
> >> will depend on the rights, F= full etc)
> >>
> >> Isaac
> >>
> >> "Raymond Verstegen" <Raymond > wrote
> >> in
> >> message news:FEF4295E-0945-4E31-A7A8-...
> >> > We are using Windows 2003.
> >> > Old configuration:
> >> > We had a cluster share for example groups$ refering to c:\groups.
> >> > Under c:\groups where a lot of subfolders for the different
> >> > departments.
> >> > User only got to see the shares they had access to.
> >> >
> >> > We made shares (in the cluster administrator) for all folders under
> >> > c:\groups (groupaccounting$ referring to c:\groups\accounting,
> >> > groupfinance$
> >> > referring to d:\groups\finance) ect ect.
> >> > I made in DFS a Groups\Finance and a Groups\Accounting.
> >> >
> >> > Now the accounting group can see the finance group even though they
> >> > can't
> >> > access it.
> >> > I turned on Access-based Enumeration for both folders, and created a
> >> > Generic application in the Cluster aministrator: "cmd /k abecmd /enable
> >> > groupaccounting$"
> >> > I did this vor all shares but still everyone can see all shares in the
> >> > groups, even the ones they dont have access to.
> >> >
> >> > Any ideas how to hide the shares for people who dont have access to
> >> > them?
> >>
> >>
> >>
>
>
>

Hello Raymond,
Then turn on ABE on the Accounting and Finance Shared folders

CACLS C:\Accounting /E /G DomainName\Accounting:C
and
CACLS C:\Finance /E /G DomainName\Finance:C

Hope this helps,

Isaac

"Raymond Verstegen" <> wrote in
message news:81151D24-F83F-4135-B59A-...
> Im not sharing the group folder, only the folders in the group folder.
> In the old situation i shared the group folder, since all subfolders where
> there.
> There everything worked as inteded.
> now im not sharing the group folder anymore, because all subfolders are
> not
> only in the group folder anymore, but devided on different
> discs/partitions.
> So in DFS i created groups/accounting pointing is to c:\groups\accounting.
> But if would share the groups (c:\groups) folder the folder
> d:\groups\finance wouldn't be vissible
>
>
> "Isaac Oben [MCITP:EA, MCSE]" wrote:
>
>> Hello Raymond,
>>
>> I might not have been clear with my previous post.
>>
>> Make sure ABE is installed on all server hosting DFS.
>> Turn on ABE on "Group"' Share by checking box "enable access-based
>> enumeration on this shared folder"
>> Make sure "Accounting and Finance" are properly shared and ntfs
>> permissions
>> are in place. For the Accounting Share, I will give Full Control to
>> Accounting Users, System, Administrator, Owner creator, and remove
>> everytihng else, add Users (Domain.com\Users) and grant following
>> permissions
>> List Folder / Read Data
>> Read Attributes
>> Read Extended Attributes
>>
>> Now apply ACL to the Accounting and Financing Folders (Ghost folders)
>> CACLS C:\Groups\Accounting /E /G DomainName\Accounting:C
>> and
>> CACLS C:\Groups\Finance /E /G DomainName\Finance:C
>>
>> Your ABE for DFS should be good now
>>
>> Hope this helps
>>
>> Isaac
>>
>>
>> "Raymond Verstegen" <> wrote in
>> message news:B9B22130-232F-45E6-8B41-...
>> > Hi Isaac,
>> >
>> > Thanks for the fast reply.
>> > The accounting department already has access to the accounting share,
>> > and
>> > the finance department to their share.
>> > The problem is, is that the accounting deparment sees the finance
>> > share,
>> > and
>> > the other way around.
>> >
>> >
>> > "Isaac Oben [MCITP:EA, MCSE]" wrote:
>> >
>> >> Hello Raymond,
>> >>
>> >> Assuming you are using domain based dfs and you have ABE installed and
>> >> enabled on the main share, try
>> >>
>> >> CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C
>> >> (this
>> >> will depend on the rights, F= full etc)
>> >>
>> >> Isaac
>> >>
>> >> "Raymond Verstegen" <Raymond >
>> >> wrote
>> >> in
>> >> message news:FEF4295E-0945-4E31-A7A8-...
>> >> > We are using Windows 2003.
>> >> > Old configuration:
>> >> > We had a cluster share for example groups$ refering to c:\groups.
>> >> > Under c:\groups where a lot of subfolders for the different
>> >> > departments.
>> >> > User only got to see the shares they had access to.
>> >> >
>> >> > We made shares (in the cluster administrator) for all folders under
>> >> > c:\groups (groupaccounting$ referring to c:\groups\accounting,
>> >> > groupfinance$
>> >> > referring to d:\groups\finance) ect ect.
>> >> > I made in DFS a Groups\Finance and a Groups\Accounting.
>> >> >
>> >> > Now the accounting group can see the finance group even though they
>> >> > can't
>> >> > access it.
>> >> > I turned on Access-based Enumeration for both folders, and created
>> >> > a
>> >> > Generic application in the Cluster aministrator: "cmd /k abecmd
>> >> > /enable
>> >> > groupaccounting$"
>> >> > I did this vor all shares but still everyone can see all shares in
>> >> > the
>> >> > groups, even the ones they dont have access to.
>> >> >
>> >> > Any ideas how to hide the shares for people who dont have access to
>> >> > them?
>> >>
>> >>
>> >>
>>
>>
>>

On Tue, 7 Apr 2009 02:47:01 -0700, Raymond Verstegen
<> wrote:

>Im not sharing the group folder, only the folders in the group folder.
>In the old situation i shared the group folder, since all subfolders where
>there.
>There everything worked as inteded.
>now im not sharing the group folder anymore, because all subfolders are not
>only in the group folder anymore, but devided on different discs/partitions.
>So in DFS i created groups/accounting pointing is to c:\groups\accounting.
>But if would share the groups (c:\groups) folder the folder
>d:\groups\finance wouldn't be vissible

Try this: Create a new folder in the DFS console called say "test". Do not add
any links. Now look at who can see that folder. I think you will find most can
see the new folder. This is the crux of the problem ABE is reacting to the NTFS
permissions on the folder. This persists even after you add links, even though
the user cannot access the link target.

>
>
>"Isaac Oben [MCITP:EA, MCSE]" wrote:
>
>> Hello Raymond,
>>
>> I might not have been clear with my previous post.
>>
>> Make sure ABE is installed on all server hosting DFS.
>> Turn on ABE on "Group"' Share by checking box "enable access-based
>> enumeration on this shared folder"
>> Make sure "Accounting and Finance" are properly shared and ntfs permissions
>> are in place. For the Accounting Share, I will give Full Control to
>> Accounting Users, System, Administrator, Owner creator, and remove
>> everytihng else, add Users (Domain.com\Users) and grant following
>> permissions
>> List Folder / Read Data
>> Read Attributes
>> Read Extended Attributes
>>
>> Now apply ACL to the Accounting and Financing Folders (Ghost folders)
>> CACLS C:\Groups\Accounting /E /G DomainName\Accounting:C
>> and
>> CACLS C:\Groups\Finance /E /G DomainName\Finance:C
>>
>> Your ABE for DFS should be good now
>>
>> Hope this helps
>>
>> Isaac
>>
>>
>> "Raymond Verstegen" <> wrote in
>> message news:B9B22130-232F-45E6-8B41-...
>> > Hi Isaac,
>> >
>> > Thanks for the fast reply.
>> > The accounting department already has access to the accounting share, and
>> > the finance department to their share.
>> > The problem is, is that the accounting deparment sees the finance share,
>> > and
>> > the other way around.
>> >
>> >
>> > "Isaac Oben [MCITP:EA, MCSE]" wrote:
>> >
>> >> Hello Raymond,
>> >>
>> >> Assuming you are using domain based dfs and you have ABE installed and
>> >> enabled on the main share, try
>> >>
>> >> CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C
>> >> (this
>> >> will depend on the rights, F= full etc)
>> >>
>> >> Isaac
>> >>
>> >> "Raymond Verstegen" <Raymond > wrote
>> >> in
>> >> message news:FEF4295E-0945-4E31-A7A8-...
>> >> > We are using Windows 2003.
>> >> > Old configuration:
>> >> > We had a cluster share for example groups$ refering to c:\groups.
>> >> > Under c:\groups where a lot of subfolders for the different
>> >> > departments.
>> >> > User only got to see the shares they had access to.
>> >> >
>> >> > We made shares (in the cluster administrator) for all folders under
>> >> > c:\groups (groupaccounting$ referring to c:\groups\accounting,
>> >> > groupfinance$
>> >> > referring to d:\groups\finance) ect ect.
>> >> > I made in DFS a Groups\Finance and a Groups\Accounting.
>> >> >
>> >> > Now the accounting group can see the finance group even though they
>> >> > can't
>> >> > access it.
>> >> > I turned on Access-based Enumeration for both folders, and created a
>> >> > Generic application in the Cluster aministrator: "cmd /k abecmd /enable
>> >> > groupaccounting$"
>> >> > I did this vor all shares but still everyone can see all shares in the
>> >> > groups, even the ones they dont have access to.
>> >> >
>> >> > Any ideas how to hide the shares for people who dont have access to
>> >> > them?
>> >>
>> >>
>> >>
>>
>>
>>
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.