Problem hiding shares in DFS

Discussion in 'File Systems' started by Raymond Verstegen, Apr 6, 2009.

  1. We are using Windows 2003.
    Old configuration:
    We had a cluster share for example groups$ refering to c:\groups.
    Under c:\groups where a lot of subfolders for the different departments.
    User only got to see the shares they had access to.

    We made shares (in the cluster administrator) for all folders under
    c:\groups (groupaccounting$ referring to c:\groups\accounting, groupfinance$
    referring to d:\groups\finance) ect ect.
    I made in DFS a Groups\Finance and a Groups\Accounting.

    Now the accounting group can see the finance group even though they can't
    access it.
    I turned on Access-based Enumeration for both folders, and created a
    Generic application in the Cluster aministrator: "cmd /k abecmd /enable
    groupaccounting$"
    I did this vor all shares but still everyone can see all shares in the
    groups, even the ones they dont have access to.

    Any ideas how to hide the shares for people who dont have access to them?
     
    Raymond Verstegen, Apr 6, 2009
    #1
    1. Advertising

  2. Hello Raymond,

    Assuming you are using domain based dfs and you have ABE installed and
    enabled on the main share, try

    CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C (this
    will depend on the rights, F= full etc)

    Isaac

    "Raymond Verstegen" <Raymond > wrote in
    message news:...
    > We are using Windows 2003.
    > Old configuration:
    > We had a cluster share for example groups$ refering to c:\groups.
    > Under c:\groups where a lot of subfolders for the different departments.
    > User only got to see the shares they had access to.
    >
    > We made shares (in the cluster administrator) for all folders under
    > c:\groups (groupaccounting$ referring to c:\groups\accounting,
    > groupfinance$
    > referring to d:\groups\finance) ect ect.
    > I made in DFS a Groups\Finance and a Groups\Accounting.
    >
    > Now the accounting group can see the finance group even though they can't
    > access it.
    > I turned on Access-based Enumeration for both folders, and created a
    > Generic application in the Cluster aministrator: "cmd /k abecmd /enable
    > groupaccounting$"
    > I did this vor all shares but still everyone can see all shares in the
    > groups, even the ones they dont have access to.
    >
    > Any ideas how to hide the shares for people who dont have access to them?
     
    Isaac Oben [MCITP:EA, MCSE], Apr 6, 2009
    #2
    1. Advertising

  3. Hi Isaac,

    Thanks for the fast reply.
    The accounting department already has access to the accounting share, and
    the finance department to their share.
    The problem is, is that the accounting deparment sees the finance share, and
    the other way around.


    "Isaac Oben [MCITP:EA, MCSE]" wrote:

    > Hello Raymond,
    >
    > Assuming you are using domain based dfs and you have ABE installed and
    > enabled on the main share, try
    >
    > CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C (this
    > will depend on the rights, F= full etc)
    >
    > Isaac
    >
    > "Raymond Verstegen" <Raymond > wrote in
    > message news:...
    > > We are using Windows 2003.
    > > Old configuration:
    > > We had a cluster share for example groups$ refering to c:\groups.
    > > Under c:\groups where a lot of subfolders for the different departments.
    > > User only got to see the shares they had access to.
    > >
    > > We made shares (in the cluster administrator) for all folders under
    > > c:\groups (groupaccounting$ referring to c:\groups\accounting,
    > > groupfinance$
    > > referring to d:\groups\finance) ect ect.
    > > I made in DFS a Groups\Finance and a Groups\Accounting.
    > >
    > > Now the accounting group can see the finance group even though they can't
    > > access it.
    > > I turned on Access-based Enumeration for both folders, and created a
    > > Generic application in the Cluster aministrator: "cmd /k abecmd /enable
    > > groupaccounting$"
    > > I did this vor all shares but still everyone can see all shares in the
    > > groups, even the ones they dont have access to.
    > >
    > > Any ideas how to hide the shares for people who dont have access to them?

    >
    >
    >
     
    Raymond Verstegen, Apr 6, 2009
    #3
  4. Raymond Verstegen

    DaveMills Guest

    Isaac is referring to the permissions on the DFS link not on the target folder.
    For any DFS access there of two NTFS permissions involved, those on the physical
    link (reparse point) C:\DFSRoot\Groups\Accounting and those at the target
    c:\groups\accounting. ABE in DFS displays the Link because the permission on the
    links are "read" even though the permissions on the target are "deny".

    Please note also that there were a number of patches regarding ABE on W2003 so
    make sure the server is on the latest SP and fully patched. I don't recall the
    KB numbers.




    On Mon, 6 Apr 2009 05:20:08 -0700, Raymond Verstegen
    <> wrote:

    >Hi Isaac,
    >
    >Thanks for the fast reply.
    >The accounting department already has access to the accounting share, and
    >the finance department to their share.
    >The problem is, is that the accounting deparment sees the finance share, and
    >the other way around.
    >
    >
    >"Isaac Oben [MCITP:EA, MCSE]" wrote:
    >
    >> Hello Raymond,
    >>
    >> Assuming you are using domain based dfs and you have ABE installed and
    >> enabled on the main share, try
    >>
    >> CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C (this
    >> will depend on the rights, F= full etc)
    >>
    >> Isaac
    >>
    >> "Raymond Verstegen" <Raymond > wrote in
    >> message news:...
    >> > We are using Windows 2003.
    >> > Old configuration:
    >> > We had a cluster share for example groups$ refering to c:\groups.
    >> > Under c:\groups where a lot of subfolders for the different departments.
    >> > User only got to see the shares they had access to.
    >> >
    >> > We made shares (in the cluster administrator) for all folders under
    >> > c:\groups (groupaccounting$ referring to c:\groups\accounting,
    >> > groupfinance$
    >> > referring to d:\groups\finance) ect ect.
    >> > I made in DFS a Groups\Finance and a Groups\Accounting.
    >> >
    >> > Now the accounting group can see the finance group even though they can't
    >> > access it.
    >> > I turned on Access-based Enumeration for both folders, and created a
    >> > Generic application in the Cluster aministrator: "cmd /k abecmd /enable
    >> > groupaccounting$"
    >> > I did this vor all shares but still everyone can see all shares in the
    >> > groups, even the ones they dont have access to.
    >> >
    >> > Any ideas how to hide the shares for people who dont have access to them?

    >>
    >>
    >>

    --
    Dave Mills
    There are 10 types of people, those that understand binary and those that don't.
     
    DaveMills, Apr 6, 2009
    #4
  5. Hello Raymond,

    I might not have been clear with my previous post.

    Make sure ABE is installed on all server hosting DFS.
    Turn on ABE on "Group"' Share by checking box "enable access-based
    enumeration on this shared folder"
    Make sure "Accounting and Finance" are properly shared and ntfs permissions
    are in place. For the Accounting Share, I will give Full Control to
    Accounting Users, System, Administrator, Owner creator, and remove
    everytihng else, add Users (Domain.com\Users) and grant following
    permissions
    List Folder / Read Data
    Read Attributes
    Read Extended Attributes

    Now apply ACL to the Accounting and Financing Folders (Ghost folders)
    CACLS C:\Groups\Accounting /E /G DomainName\Accounting:C
    and
    CACLS C:\Groups\Finance /E /G DomainName\Finance:C

    Your ABE for DFS should be good now

    Hope this helps

    Isaac


    "Raymond Verstegen" <> wrote in
    message news:...
    > Hi Isaac,
    >
    > Thanks for the fast reply.
    > The accounting department already has access to the accounting share, and
    > the finance department to their share.
    > The problem is, is that the accounting deparment sees the finance share,
    > and
    > the other way around.
    >
    >
    > "Isaac Oben [MCITP:EA, MCSE]" wrote:
    >
    >> Hello Raymond,
    >>
    >> Assuming you are using domain based dfs and you have ABE installed and
    >> enabled on the main share, try
    >>
    >> CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C
    >> (this
    >> will depend on the rights, F= full etc)
    >>
    >> Isaac
    >>
    >> "Raymond Verstegen" <Raymond > wrote
    >> in
    >> message news:...
    >> > We are using Windows 2003.
    >> > Old configuration:
    >> > We had a cluster share for example groups$ refering to c:\groups.
    >> > Under c:\groups where a lot of subfolders for the different
    >> > departments.
    >> > User only got to see the shares they had access to.
    >> >
    >> > We made shares (in the cluster administrator) for all folders under
    >> > c:\groups (groupaccounting$ referring to c:\groups\accounting,
    >> > groupfinance$
    >> > referring to d:\groups\finance) ect ect.
    >> > I made in DFS a Groups\Finance and a Groups\Accounting.
    >> >
    >> > Now the accounting group can see the finance group even though they
    >> > can't
    >> > access it.
    >> > I turned on Access-based Enumeration for both folders, and created a
    >> > Generic application in the Cluster aministrator: "cmd /k abecmd /enable
    >> > groupaccounting$"
    >> > I did this vor all shares but still everyone can see all shares in the
    >> > groups, even the ones they dont have access to.
    >> >
    >> > Any ideas how to hide the shares for people who dont have access to
    >> > them?

    >>
    >>
    >>
     
    Isaac Oben [MCITP:EA, MCSE], Apr 7, 2009
    #5
  6. Im not sharing the group folder, only the folders in the group folder.
    In the old situation i shared the group folder, since all subfolders where
    there.
    There everything worked as inteded.
    now im not sharing the group folder anymore, because all subfolders are not
    only in the group folder anymore, but devided on different discs/partitions.
    So in DFS i created groups/accounting pointing is to c:\groups\accounting.
    But if would share the groups (c:\groups) folder the folder
    d:\groups\finance wouldn't be vissible


    "Isaac Oben [MCITP:EA, MCSE]" wrote:

    > Hello Raymond,
    >
    > I might not have been clear with my previous post.
    >
    > Make sure ABE is installed on all server hosting DFS.
    > Turn on ABE on "Group"' Share by checking box "enable access-based
    > enumeration on this shared folder"
    > Make sure "Accounting and Finance" are properly shared and ntfs permissions
    > are in place. For the Accounting Share, I will give Full Control to
    > Accounting Users, System, Administrator, Owner creator, and remove
    > everytihng else, add Users (Domain.com\Users) and grant following
    > permissions
    > List Folder / Read Data
    > Read Attributes
    > Read Extended Attributes
    >
    > Now apply ACL to the Accounting and Financing Folders (Ghost folders)
    > CACLS C:\Groups\Accounting /E /G DomainName\Accounting:C
    > and
    > CACLS C:\Groups\Finance /E /G DomainName\Finance:C
    >
    > Your ABE for DFS should be good now
    >
    > Hope this helps
    >
    > Isaac
    >
    >
    > "Raymond Verstegen" <> wrote in
    > message news:...
    > > Hi Isaac,
    > >
    > > Thanks for the fast reply.
    > > The accounting department already has access to the accounting share, and
    > > the finance department to their share.
    > > The problem is, is that the accounting deparment sees the finance share,
    > > and
    > > the other way around.
    > >
    > >
    > > "Isaac Oben [MCITP:EA, MCSE]" wrote:
    > >
    > >> Hello Raymond,
    > >>
    > >> Assuming you are using domain based dfs and you have ABE installed and
    > >> enabled on the main share, try
    > >>
    > >> CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C
    > >> (this
    > >> will depend on the rights, F= full etc)
    > >>
    > >> Isaac
    > >>
    > >> "Raymond Verstegen" <Raymond > wrote
    > >> in
    > >> message news:...
    > >> > We are using Windows 2003.
    > >> > Old configuration:
    > >> > We had a cluster share for example groups$ refering to c:\groups.
    > >> > Under c:\groups where a lot of subfolders for the different
    > >> > departments.
    > >> > User only got to see the shares they had access to.
    > >> >
    > >> > We made shares (in the cluster administrator) for all folders under
    > >> > c:\groups (groupaccounting$ referring to c:\groups\accounting,
    > >> > groupfinance$
    > >> > referring to d:\groups\finance) ect ect.
    > >> > I made in DFS a Groups\Finance and a Groups\Accounting.
    > >> >
    > >> > Now the accounting group can see the finance group even though they
    > >> > can't
    > >> > access it.
    > >> > I turned on Access-based Enumeration for both folders, and created a
    > >> > Generic application in the Cluster aministrator: "cmd /k abecmd /enable
    > >> > groupaccounting$"
    > >> > I did this vor all shares but still everyone can see all shares in the
    > >> > groups, even the ones they dont have access to.
    > >> >
    > >> > Any ideas how to hide the shares for people who dont have access to
    > >> > them?
    > >>
    > >>
    > >>

    >
    >
    >
     
    Raymond Verstegen, Apr 7, 2009
    #6
  7. Hello Raymond,
    Then turn on ABE on the Accounting and Finance Shared folders

    CACLS C:\Accounting /E /G DomainName\Accounting:C
    and
    CACLS C:\Finance /E /G DomainName\Finance:C

    Hope this helps,

    Isaac

    "Raymond Verstegen" <> wrote in
    message news:...
    > Im not sharing the group folder, only the folders in the group folder.
    > In the old situation i shared the group folder, since all subfolders where
    > there.
    > There everything worked as inteded.
    > now im not sharing the group folder anymore, because all subfolders are
    > not
    > only in the group folder anymore, but devided on different
    > discs/partitions.
    > So in DFS i created groups/accounting pointing is to c:\groups\accounting.
    > But if would share the groups (c:\groups) folder the folder
    > d:\groups\finance wouldn't be vissible
    >
    >
    > "Isaac Oben [MCITP:EA, MCSE]" wrote:
    >
    >> Hello Raymond,
    >>
    >> I might not have been clear with my previous post.
    >>
    >> Make sure ABE is installed on all server hosting DFS.
    >> Turn on ABE on "Group"' Share by checking box "enable access-based
    >> enumeration on this shared folder"
    >> Make sure "Accounting and Finance" are properly shared and ntfs
    >> permissions
    >> are in place. For the Accounting Share, I will give Full Control to
    >> Accounting Users, System, Administrator, Owner creator, and remove
    >> everytihng else, add Users (Domain.com\Users) and grant following
    >> permissions
    >> List Folder / Read Data
    >> Read Attributes
    >> Read Extended Attributes
    >>
    >> Now apply ACL to the Accounting and Financing Folders (Ghost folders)
    >> CACLS C:\Groups\Accounting /E /G DomainName\Accounting:C
    >> and
    >> CACLS C:\Groups\Finance /E /G DomainName\Finance:C
    >>
    >> Your ABE for DFS should be good now
    >>
    >> Hope this helps
    >>
    >> Isaac
    >>
    >>
    >> "Raymond Verstegen" <> wrote in
    >> message news:...
    >> > Hi Isaac,
    >> >
    >> > Thanks for the fast reply.
    >> > The accounting department already has access to the accounting share,
    >> > and
    >> > the finance department to their share.
    >> > The problem is, is that the accounting deparment sees the finance
    >> > share,
    >> > and
    >> > the other way around.
    >> >
    >> >
    >> > "Isaac Oben [MCITP:EA, MCSE]" wrote:
    >> >
    >> >> Hello Raymond,
    >> >>
    >> >> Assuming you are using domain based dfs and you have ABE installed and
    >> >> enabled on the main share, try
    >> >>
    >> >> CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C
    >> >> (this
    >> >> will depend on the rights, F= full etc)
    >> >>
    >> >> Isaac
    >> >>
    >> >> "Raymond Verstegen" <Raymond >
    >> >> wrote
    >> >> in
    >> >> message news:...
    >> >> > We are using Windows 2003.
    >> >> > Old configuration:
    >> >> > We had a cluster share for example groups$ refering to c:\groups.
    >> >> > Under c:\groups where a lot of subfolders for the different
    >> >> > departments.
    >> >> > User only got to see the shares they had access to.
    >> >> >
    >> >> > We made shares (in the cluster administrator) for all folders under
    >> >> > c:\groups (groupaccounting$ referring to c:\groups\accounting,
    >> >> > groupfinance$
    >> >> > referring to d:\groups\finance) ect ect.
    >> >> > I made in DFS a Groups\Finance and a Groups\Accounting.
    >> >> >
    >> >> > Now the accounting group can see the finance group even though they
    >> >> > can't
    >> >> > access it.
    >> >> > I turned on Access-based Enumeration for both folders, and created
    >> >> > a
    >> >> > Generic application in the Cluster aministrator: "cmd /k abecmd
    >> >> > /enable
    >> >> > groupaccounting$"
    >> >> > I did this vor all shares but still everyone can see all shares in
    >> >> > the
    >> >> > groups, even the ones they dont have access to.
    >> >> >
    >> >> > Any ideas how to hide the shares for people who dont have access to
    >> >> > them?
    >> >>
    >> >>
    >> >>

    >>
    >>
    >>
     
    Isaac Oben [MCITP:EA, MCSE], Apr 7, 2009
    #7
  8. Raymond Verstegen

    DaveMills Guest

    On Tue, 7 Apr 2009 02:47:01 -0700, Raymond Verstegen
    <> wrote:

    >Im not sharing the group folder, only the folders in the group folder.
    >In the old situation i shared the group folder, since all subfolders where
    >there.
    >There everything worked as inteded.
    >now im not sharing the group folder anymore, because all subfolders are not
    >only in the group folder anymore, but devided on different discs/partitions.
    >So in DFS i created groups/accounting pointing is to c:\groups\accounting.
    >But if would share the groups (c:\groups) folder the folder
    >d:\groups\finance wouldn't be vissible


    Try this: Create a new folder in the DFS console called say "test". Do not add
    any links. Now look at who can see that folder. I think you will find most can
    see the new folder. This is the crux of the problem ABE is reacting to the NTFS
    permissions on the folder. This persists even after you add links, even though
    the user cannot access the link target.

    >
    >
    >"Isaac Oben [MCITP:EA, MCSE]" wrote:
    >
    >> Hello Raymond,
    >>
    >> I might not have been clear with my previous post.
    >>
    >> Make sure ABE is installed on all server hosting DFS.
    >> Turn on ABE on "Group"' Share by checking box "enable access-based
    >> enumeration on this shared folder"
    >> Make sure "Accounting and Finance" are properly shared and ntfs permissions
    >> are in place. For the Accounting Share, I will give Full Control to
    >> Accounting Users, System, Administrator, Owner creator, and remove
    >> everytihng else, add Users (Domain.com\Users) and grant following
    >> permissions
    >> List Folder / Read Data
    >> Read Attributes
    >> Read Extended Attributes
    >>
    >> Now apply ACL to the Accounting and Financing Folders (Ghost folders)
    >> CACLS C:\Groups\Accounting /E /G DomainName\Accounting:C
    >> and
    >> CACLS C:\Groups\Finance /E /G DomainName\Finance:C
    >>
    >> Your ABE for DFS should be good now
    >>
    >> Hope this helps
    >>
    >> Isaac
    >>
    >>
    >> "Raymond Verstegen" <> wrote in
    >> message news:...
    >> > Hi Isaac,
    >> >
    >> > Thanks for the fast reply.
    >> > The accounting department already has access to the accounting share, and
    >> > the finance department to their share.
    >> > The problem is, is that the accounting deparment sees the finance share,
    >> > and
    >> > the other way around.
    >> >
    >> >
    >> > "Isaac Oben [MCITP:EA, MCSE]" wrote:
    >> >
    >> >> Hello Raymond,
    >> >>
    >> >> Assuming you are using domain based dfs and you have ABE installed and
    >> >> enabled on the main share, try
    >> >>
    >> >> CACLS C:\DFSMainRoot\Groups\Accounting /E /G DOMAIN-NAME\Accounting:C
    >> >> (this
    >> >> will depend on the rights, F= full etc)
    >> >>
    >> >> Isaac
    >> >>
    >> >> "Raymond Verstegen" <Raymond > wrote
    >> >> in
    >> >> message news:...
    >> >> > We are using Windows 2003.
    >> >> > Old configuration:
    >> >> > We had a cluster share for example groups$ refering to c:\groups.
    >> >> > Under c:\groups where a lot of subfolders for the different
    >> >> > departments.
    >> >> > User only got to see the shares they had access to.
    >> >> >
    >> >> > We made shares (in the cluster administrator) for all folders under
    >> >> > c:\groups (groupaccounting$ referring to c:\groups\accounting,
    >> >> > groupfinance$
    >> >> > referring to d:\groups\finance) ect ect.
    >> >> > I made in DFS a Groups\Finance and a Groups\Accounting.
    >> >> >
    >> >> > Now the accounting group can see the finance group even though they
    >> >> > can't
    >> >> > access it.
    >> >> > I turned on Access-based Enumeration for both folders, and created a
    >> >> > Generic application in the Cluster aministrator: "cmd /k abecmd /enable
    >> >> > groupaccounting$"
    >> >> > I did this vor all shares but still everyone can see all shares in the
    >> >> > groups, even the ones they dont have access to.
    >> >> >
    >> >> > Any ideas how to hide the shares for people who dont have access to
    >> >> > them?
    >> >>
    >> >>
    >> >>

    >>
    >>
    >>

    --
    Dave Mills
    There are 10 types of people, those that understand binary and those that don't.
     
    DaveMills, Apr 7, 2009
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. USBC_GT

    Hiding Shares

    USBC_GT, Jul 23, 2004, in forum: Windows Server
    Replies:
    4
    Views:
    186
    Kristofer Gafvert
    Jul 23, 2004
  2. George

    Hiding Network Shares from listing

    George, Sep 13, 2007, in forum: Windows Small Business Server
    Replies:
    2
    Views:
    186
    Gregg Hill
    Sep 16, 2007
  3. dsmcd

    Win2003: Hiding shares in Net Neighborhood

    dsmcd, Feb 26, 2004, in forum: Active Directory
    Replies:
    3
    Views:
    166
    dsmcd
    Feb 26, 2004
  4. Michael B

    Hiding System Shares?

    Michael B, Feb 9, 2006, in forum: Server Setup
    Replies:
    1
    Views:
    179
    Lanwench [MVP - Exchange]
    Feb 9, 2006
  5. Adam Landefeld
    Replies:
    0
    Views:
    661
    Adam Landefeld
    Jan 23, 2006
Loading...

Share This Page