By default, the permissions used for a DFS folder are inherited from the local file system of the namespace server. The permissions are inherited from the root directory of the system drive and grant the DOMAIN\Users group Read permissions. As a result, even after enabling access-based enumeration, all folders in the namespace remain visible to all domain users.
Advantages and limitations of inherited permissions
There are two primary benefits to using inherited permissions to control which users can view folders in a DFS namespace:
- You can quickly apply inherited permissions
to many folders without having to use scripts.
- You can apply inherited permissions to
namespace roots and folders without targets.
Despite the benefits, inherited permissions in DFS Namespaces have many limitations that make them inappropriate for most environments:
- Modifications to inherited permissions are
not replicated to other namespace servers. Therefore, use inherited
permissions only on stand-alone namespaces or in environments where
you can implement a third-party replication system to keep the
Access Control Lists (ACLs) on all namespace servers
- DFS Management and
Dfsutilcannot view or modify inherited permissions. Therefore, you must use Windows Explorer or the
Icaclscommand in addition to DFS Management or
Dfsutilto manage the namespace.
- When using inherited permissions, you cannot
modify the permissions of a folder with targets except by using the
Dfsutilcommand. DFS Namespaces automatically removes permissions from folders with targets set using other tools or methods.
- If you set permissions on a folder with
targets while you are using inherited permissions, the ACL that you
set on the folder with targets combines with inherited permissions
from the folder’s parent in the file system. You must examine both
sets of permissions to determine what the net permissions are.
When using inherited permissions, it is simplest to set permissions on namespace roots and folders without targets. Then use inherited permissions on folders with targets so that they inherit all permissions from their parents.
Using inherited permissions
To limit which users can view a DFS folder, you must perform one of the following tasks:
- Set explicit permissions for the folder,
disabling inheritance. To set explicit permissions on a folder
with targets (a link) using DFS Management or the
Dfsutilcommand, see Enable Access-Based Enumeration on a Namespace.
- Modify inherited permissions on the parent
in the local file system. To modify the permissions inherited
by a folder with targets, if you have already set explicit
permissions on the folder, switch to inherited permissions from
explicit permissions, as discussed in the following procedure. Then
use Windows Explorer or the
Icaclscommand to modify the permissions of the folder from which the folder with targets inherits its permissions, as described on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=140259).
Access-based enumeration does not prevent users from obtaining a
referral to a folder target if they already know the DFS path of
the folder with targets. Permissions set using Windows Explorer or
|To switch from explicit permissions to inherited permissions|
In the console tree, under the Namespaces node, locate the folder with targets for which you want to control visibility, right-click the folder and then click Properties.
Click the Advanced tab.
Click Use inherited permissions from the local file system and then click OK in the Confirm Use of Inherited Permissions dialog box.
Doing this removes all explicitly set permissions on this folder, restoring inherited NTFS permissions from the local file system of the namespace server.
To change the inherited permissions for folders or namespace roots in a DFS namespace, use Windows Explorer or the
ICaclscommand, as described on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=140259).
To change the way permissions are applied by using a command prompt, or to restore inheritance of NTFS permissions from the local file system and preserve permissions that were set by using DFS Management, see the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=140259).