Moving to a Distributed File System required testing for a few parity features. One of those was Access-Based Enumeration. This simplifies an end-user’s navigation experience because they only see the folders that they have access to. This was in place in our current file servers and would be a tough sell without the feature.
Access-based enumeration is easy to turn on for your namespace but configuring it requires a little more attention to detail. Right-click on your namespace and go to Properties. Under the Advanced tab, there is a simple checkbox to ‘Enable access-based enumeration for this namespace’.
Looking at the folder target properties, it also has an Advanced tab to specify view permissions of the folder. The default option is to ‘Use inherited permissions from the local file system’. I was hoping for the interpretation that it would pull the permissions from the target of the folder but I was not so lucky. It uses the local permissions of the DFS Namespace server with the DFSRoot folder. This meant by default, members of Domain Users were able to see all folder targets, even if it pointed to a server where they did not have access or the target server had access-based enumeration turned on. Instead, I would need to use the ‘Set explicit view permissions on the DFS folder’.
Wanting to script the creation of the folder targets, I found the PowerShell cmdlet Grant-DfsnAccess and thought it would do exactly what I needed. Unfortunately, it seems to have a bug that does not work for access-based enumeration. The problem is described in KB2938148:
Although the Grant-DfsnAccess cmdlet successfully configures the view permissions for individual groups or users, the cmdlet does not change the inheritance mode from use inherited to set explicit. Therefore, the permissions that are set on the link do not take effect.
There are two methods suggested to work around the problem.
Manually disable inheritance in the DFS Management Console by selecting the Set explicit view permissions option.
Use the dfsutil property sd grant command instead.
The problem was such that using the Grant-DfsnAccess cmdlet would revert the setting back to ‘Use inherited permissions from the local file system’. So even if you manually fixed the issue before and ran the cmdlet again, you would have to manually fix it again.
The explicit permission is a simple Allow or Deny read-access, so it’s not complex but needing to set it for each person or group that needs access to your DFS folder target would be tedious and should be scripted away to reduce errors and inconsistency. I used the dfsutil command line method in my PowerShell script and it worked perfectly fine.
The following line would allow user SarahConnors to Read the folder target while others would not see the folder target as an option.
dfsutil property sd grant \\404techsupport.com\Projects\IT 404TS\SarahConnors:RX protect
Of course, you still need to set your permissions properly on the target server for proper security.