RE: How To for Access Based Enumeration Permissions?

Hi Mark,

You can use DFSUtil.exe to setup ABDE (Access Based Directory Enumeration)
in your namespace. The command line you should use is like this:

DFSUtil Property ABDE \\YourDomain\YourNamespace

This allow the users to view the links only for which they have permissions.

You can type DFSUtil Property ABDE to get more information.

"Mark Olbert" wrote:

> Like apparently quite a few others, I'm having trouble getting access based enumeration to work. This is using a DFS setup on Server
> 2008 (standard). Basically, all the "component" shares in the DFS share I set up are visible to all users all the time. They can't
> access folders they don't have rights to, but the folders themselves are still visible.
>
> Is there an "official" how to for setting the permissions correctly? I gather one has to be careful about what permissions are
> granted to both the share and the links in the DFS root. But I'm not clear on just what they should be.
>
> - Mark
>

But which permissions get tested? The DACL on the DFS folder/reparse point, the
one on the target share or both.

On Fri, 26 Sep 2008 16:06:01 -0700, John Angel [MSFT]
<> wrote:

>Hi Mark,
>
>You can use DFSUtil.exe to setup ABDE (Access Based Directory Enumeration)
>in your namespace. The command line you should use is like this:
>
>DFSUtil Property ABDE \\YourDomain\YourNamespace
>
>This allow the users to view the links only for which they have permissions.
>
>You can type DFSUtil Property ABDE to get more information.
>
>"Mark Olbert" wrote:
>
>> Like apparently quite a few others, I'm having trouble getting access based enumeration to work. This is using a DFS setup on Server
>> 2008 (standard). Basically, all the "component" shares in the DFS share I set up are visible to all users all the time. They can't
>> access folders they don't have rights to, but the folders themselves are still visible.
>>
>> Is there an "official" how to for setting the permissions correctly? I gather one has to be careful about what permissions are
>> granted to both the share and the links in the DFS root. But I'm not clear on just what they should be.
>>
>> - Mark
>>
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.

ABDE is related to the DFS root. Once it's enabled it shows to the user only
the links for which he has permissions. Basically you set ABDE and then you
set the ACLs against a DFS link.

"DaveMills" wrote:

> But which permissions get tested? The DACL on the DFS folder/reparse point, the
> one on the target share or both.
>
> On Fri, 26 Sep 2008 16:06:01 -0700, John Angel [MSFT]
> <> wrote:
>
> >Hi Mark,
> >
> >You can use DFSUtil.exe to setup ABDE (Access Based Directory Enumeration)
> >in your namespace. The command line you should use is like this:
> >
> >DFSUtil Property ABDE \\YourDomain\YourNamespace
> >
> >This allow the users to view the links only for which they have permissions.
> >
> >You can type DFSUtil Property ABDE to get more information.
> >
> >"Mark Olbert" wrote:
> >
> >> Like apparently quite a few others, I'm having trouble getting access based enumeration to work. This is using a DFS setup on Server
> >> 2008 (standard). Basically, all the "component" shares in the DFS share I set up are visible to all users all the time. They can't
> >> access folders they don't have rights to, but the folders themselves are still visible.
> >>
> >> Is there an "official" how to for setting the permissions correctly? I gather one has to be careful about what permissions are
> >> granted to both the share and the links in the DFS root. But I'm not clear on just what they should be.
> >>
> >> - Mark
> >>
> --
> Dave Mills
> There are 10 types of people, those that understand binary and those that don't.
>