Strange secutity issue with DFS

Discussion in 'File Systems' started by JackH, Jul 23, 2009.

  1. JackH

    JackH Guest


    Windows 2008.

    I currently have a DFS share named Termed Staff which contains a folder of
    each staff name and their documents.

    Now, I have a security group "SEC-Termed Staff" which allows staff access to
    this folder and maps the drive letter.

    Security is not inherited within the Termed Staff folder. The only
    permissions are System, Domain Admin-Full access, and the local

    My plan is to assign staff read only permissions to the specific folders
    within on an as needed basis.

    What I am finding is that currently anyone is able to access these folders
    within the Termed Staff folder and create folders.

    I'm going crazy trying to find out why they can access these folders when
    they are ont in any of the groups that have access to this. Any ideas???

    I'm assuming this is realted to DFS in some way but I could be wrong.
    JackH, Jul 23, 2009
    1. Advertisements

  2. JackH

    JackH Guest

    I think I know what part of the issue is. i'm new with DFS so.... I had
    created the DFSRoot folder and then created my folders in there and added
    them to the name space. I'm thinking what I should do is create a folder at
    d:\shares\Shared Folder and then add that folder to the dfs name space? Is
    that the correct way to do this?
    JackH, Jul 23, 2009
    1. Advertisements

  3. JackH

    DaveMills Guest

    You can create folders in the DFSRoot and they will be C:\DFSRoot\Newfolder but
    you cannot add other physical folders to the name space. You can only add link
    targets and they are UNC paths.
    DaveMills, Jul 23, 2009
  4. JackH

    JackH Guest

    Cool. I have ran into something else and may be this is by design.

    I'm setting the permissions for folders on the server, not via the
    namespace. What I'm finding is that if I don't remove the
    Domain\Administrator account, not the Domain\Domain Administrator account,
    staff have full rights to the folders. Why would this be as they are not
    members of this adminsitrator account.
    JackH, Jul 23, 2009
  5. JackH

    IT Staff Guest

    i m having the same security issues with u.

    it is common to set permissions on the remote servers and then use DFS to
    add these remote servers as target folders.

    But i realised that if u setup a hub/spoke, the hub member server
    permissions will be overrides the remote server target folders.

    i've not try anything yet, one thing u can try is to assigned the hub member
    server to have the same permissions as the rest of the remote servers and
    see whether this works.
    IT Staff, Jul 24, 2009
  6. Something else has gone wrong.
    The NTFS security is replicated. So you should start with both target folder
    roots having the same permissions. If they have different permissions you
    will get a strange result, where a root permission does not trickle down
    even though it says it does. You should never set permissions on the DFS
    root folders. These are just storing information about the DFS target, and
    users obviously need to be able to read the information.
    You can set different Share permissions on the target folders. These are not
    replicated. So for example you could enable the helpdesk to modify files at
    a central site, but make a hub site Read Only.
    Hope that helps,
    Anthony [MVP], Jul 24, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.