DFS Access Based Enumeration ABE

Discussion in 'File Systems' started by Rich, Aug 22, 2008.

  1. Rich

    Rich Guest

    I am trying to implement ABE on a DFS root. I have ran the dfsutil and
    enabled ABE for the DFS root. dfsutil property ABE <DFSPath>. It says it is
    now enabled my test user account can still see all folders. This test user
    account does not have permissions on the target folders. What am I missing?
    Rich, Aug 22, 2008
    1. Advertisements

  2. Rich

    pwijnants Guest

    Hi Rich,

    I was having the same problem, i could'nt find anything on the net, this is
    what i came up with after several hours of searching :

    1. Enable the ABE on the DFSpath

    dfsutil property ABE <DFSPath>

    2. Get rid of any group at the toplevel that includes users. I had my
    dfsroots created on the c: drive and the users group was herited down to mys
    dfs links, so the user saw every link. After deleting the users group, i
    did'nt see any link.

    3. You can set the right on the link with

    dfsutil property ACL grant \\contoso.com\DomainNamespace1\Link1

    Read right is enough, it is just used for the ABE to have access to it,
    afterwards the rigths of the linked share are taken into account

    After this it seems to work
    pwijnants, Aug 24, 2008
    1. Advertisements

  3. Rich

    Rich Guest

    Thanks for the reply. I was hoping that it would refer to the folder
    permissions and not require that I have to set file permissions on the links
    themselves. I have hundreds of folder links that I will need to set
    permissions on which will call for creating a script to read in the current
    folder perms and then applying them to the links. Something that to me
    doesnt make sense that it would not be using the folder permissions for ABE.
    Thanks again.
    Rich, Aug 25, 2008
  4. Rich

    Choodee Guest

    I too have the same problem with DFS and ABE. What you will find annoying is
    that rebooting your DFS server will reset the custom DFS ACL's and disable
    ABE on all DFS folder targets. This seems like a big bug to me and had i
    known i would not have implemented DFS for my company. My saving grace is
    that i use Window server 2008 DC's with DFS running in native mode. The DC's
    are hardly rebooted so i have time to possibly create a script to
    automatically apply acls. However, common sense tells me that dfs links
    should copy dfs target acls.

    Choodee, Sep 2, 2008
  5. Rich

    tkutil Guest

    You need to have the same permissions on the share as in the dfsroot folder.

    Set folder permissions (not share0 on the shared folder
    Set the same permissions the DFS link that is created under your dfs root
    folder. You can use cacls to set the permissions.

    cacls dfs-share-name /e /g username:f

    Stop/Start DFS
    tkutil, Sep 2, 2008
  6. Rich

    Rich Guest

    I had the same problems with DFS resetting the ACLs on the folder links also.
    It seems that cacls worked for 2003 but that appears to no longer be the case
    with 2008. I found that you can keep the permissions from resetting if you
    use the dfsutil to set the permission. So far I havent been able to find a
    detailed doc that shows why and how to properly setup ABE with DFS.

    dfsutil property ACL grant \\contoso.com\DomainNamespace1\Link1
    Rich, Sep 4, 2008
  7. Rich

    Rich Guest

    Oh i just found something else out playing around with some scripts. It
    looks like it would be possible to grab the security info from the folders
    using ICACLS and then pipe the SDDL results into the dfsutil command. This
    would allow me to set the permissions and resync them later on a few hundred
    folder links all at once. I will post a example of script if it works.
    Rich, Sep 4, 2008
  8. Rich

    Rich Guest

    Made this script to take care of the permissions on the folder links. It
    will take the permissions from the shared folders using icacls and then feed
    it into the dfsutil utility to set the permissions on the folder links.
    Working so far even after rebooting.

    Create a \ACLs dir in your script dir before running.

    Const FOR_READING = 1
    Const OpenAsDefault = -2
    Const FailIfNotExist = 0
    strFolder = "F:\SharedVol1" 'folder shares
    strDestination = "e:\DFSRoots\Shared" 'folder links
    strDFSPath = "\\server\shared\"

    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objShell = WScript.CreateObject("WScript.Shell")
    Set objFolder = objFSO.GetFolder(strFolder)
    WScript.Echo objFolder.Path
    Set colSubFolders = objFolder.SubFolders

    For Each objFolder In colSubFolders

    'objShell.Run("cmd /c icacls " & Chr(34)& objFolder & Chr(34) & " /save " &
    Chr(34) & ".\ACLs\" & objFolder.Name & ".bin" & Chr(34)& " /L"),1,False
    'wscript.echo "cmd /k icacls " & Chr(34) & objFolder & Chr(34) & " /save "
    & Chr(34) & ".\ACLs\" & objFolder.Name & ".bin" & Chr(34)& " /L"


    strPresent = "D:" 'Identifies the read line as a DACL
    For Each objFolder In colSubFolders
    strBinFile = ".\ACLs\" & ObjFolder.Name & ".bin"
    wscript.echo strBinFile

    Set objFile = ObjFSO.OpenTextFile(strBinFile , FOR_READING, FailIfNotExist,

    Do Until objFile.AtEndOfStream
    strSDDL = objFile.ReadLine
    wscript.echo strSDDL
    If InStr(Left(strSDDL, 2),strPresent)= 1 Then
    objShell.Run("cmd /c dfsutil property ACL set " & Chr(34) & strDFSPath &
    objFolder.Name & Chr(34) & " " & strSDDL)
    wscript.echo "cmd /c dfsutil property ACL set " & Chr(34) & strDFSPath &
    objFolder.Name & Chr(34) & strSDDL
    'Wscript.Echo "Line is not needed: " & strSDDL
    End If

    Rich, Sep 5, 2008
  9. Rich

    Chalky Guest

    Hey Rich, this might not help, as my setup is a bit different from yours:
    I've only got a couple of links, so I enabled ABE on the target shares
    themselves on the file-servers. That suited me, as I wasn't trying to hide
    the DFS folders, just the folders within the targets.


    I have hundreds of folder links that I will need to set permissions on...
    Chalky, Nov 13, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.