Share via


Enable Access-Based Enumeration on a Namespace

Updated: October 16, 2013

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Access-based enumeration hides files and folders that users do not have permission to access. By default, this feature is not enabled for DFS namespaces. You can enable access-based enumeration of DFS folders by using DFS Management. To control access-based enumeration of files and folders in folder targets, you must enable access-based enumeration on each shared folder by using Share and Storage Management.

To enable access-based enumeration on a namespace, all namespace servers must be running Windows Server 2008 or newer. Additionally, domain-based namespaces must use the Windows Server 2008 mode. For information about the requirements of the Windows Server 2008 mode, see Choose a Namespace Type.

In some environments, enabling access-based enumeration can cause high CPU utilization on the server and slow response times for users. For more information, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=140356).

Note

If you upgrade the domain functional level to Windows Server 2008 while there are existing domain-based namespaces, DFS Management will allow you to enable access-based enumeration on these namespaces. However, you will not be able to edit permissions to hide folders from any groups or users unless you migrate the namespaces to the Windows Server 2008 mode. For more information, see Migrate a Domain-based Namespace to Windows Server 2008 Mode.

To use access-based enumeration with DFS Namespaces to control which groups or users can view which DFS folders, you must follow these steps.

  • Enable access-based enumeration on a namespace

  • Control which users and groups can view individual DFS folders

Warning

Access-based enumeration does not prevent users from getting a referral to a folder target if they already know the DFS path. Only the share permissions or the NTFS file system permissions of the folder target (shared folder) itself can prevent users from accessing a folder target. DFS folder permissions are used only for displaying or hiding DFS folders, not for controlling access, making Read access the only relevant permission at the DFS folder level. For more information, see Using Inherited Permissions with Access-Based Enumeration.

Enabling access-based enumeration on a namespace

  • Using the Windows interface

  • Using a command line

Tip

To manage access-based enumeration on a namespace by using Windows PowerShell, use the Set-DfsnRoot, Grant-DfsnAccess, and Revoke-DfsnAccess cmdlets. The DFSN Windows PowerShell module was introduced in Windows Server 2012.

To enable access-based enumeration by using the Windows interface

  1. In the console tree, under the Namespaces node, right-click the appropriate namespace and then click Properties .

  2. Click the Advanced tab and then select the Enable access-based enumeration for this namespace check box.

To enable access-based enumeration by using a command line

  1. Open a command prompt window on a server that has the Distributed File System role service or Distributed File System Tools feature installed.

  2. Type the following command, where <namespace_root> is the root of the namespace:

    dfsutil property abe enable \\
        <namespace_root>
    

Controlling which users and groups can view individual DFS folders

  • Using the Windows interface

  • Using a command line

To control folder visibility by using the Windows interface

  1. In the console tree, under the Namespaces node, locate the folder with targets for which you want to control visibility, right-click it and then click Properties .

  2. Click the Advanced tab.

  3. Click Set explicit view permissions on the DFS folder and then Configure view permissions .

  4. Add or remove groups or users by clicking Add or Remove .

  5. To allow users to see the DFS folder, select the group or user and then select the Allow check box.

    To hide the folder from a group or user, select the group or user and then select the Deny check box.

To control folder visibility by using a command line

  1. Open a command prompt window on a server that has the Distributed File System role service or Distributed File System Tools feature installed.

  2. Type the following command, where <DFSPath> is the path of the DFS folder (link), <DOMAIN\Account> is the name of the group or user account, and (…) is replaced with additional Access Control Entries (ACEs):

    dfsutil property sd grant 
        <DFSPath>
       DOMAIN\Account:R 
        (…)
       Protect Replace
    

    For example, to replace existing permissions with permissions that allows the Domain Admins and CONTOSO\Trainers groups Read (R) access to the \\contoso.office\public\training folder, type the following command:

    dfsutil property sd grant \\contoso.office\public\training ”CONTOSO\Domain Admins”:R CONTOSO\Trainers:R Protect Replace 
    
  3. To perform additional tasks from the command prompt, use the following commands

    Command Description

    Dfsutil property sd deny

    Denies a group or user the ability to view the folder.

    Dfsutil property sd reset

    Removes all permissions from the folder.

    Dfsutil property sd revoke

    Removes a group or user ACE from the folder.

Additional references