Enable Access-Based Enumeration on a Namespace
Updated: October 16, 2013
Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Access-based enumeration hides files and folders that users do not have permission to access. By default, this feature is not enabled for DFS namespaces. You can enable access-based enumeration of DFS folders by using DFS Management. To control access-based enumeration of files and folders in folder targets, you must enable access-based enumeration on each shared folder by using Share and Storage Management.
To enable access-based enumeration on a namespace, all namespace servers must be running Windows Server 2008 or newer. Additionally, domain-based namespaces must use the Windows Server 2008 mode. For information about the requirements of the Windows Server 2008 mode, see Choose a Namespace Type.
In some environments, enabling access-based enumeration can cause high CPU utilization on the server and slow response times for users. For more information, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=140356).
Note
If you upgrade the domain functional level to Windows Server 2008 while there are existing domain-based namespaces, DFS Management will allow you to enable access-based enumeration on these namespaces. However, you will not be able to edit permissions to hide folders from any groups or users unless you migrate the namespaces to the Windows Server 2008 mode. For more information, see Migrate a Domain-based Namespace to Windows Server 2008 Mode.
To use access-based enumeration with DFS Namespaces to control which groups or users can view which DFS folders, you must follow these steps.
Enable access-based enumeration on a namespace
Control which users and groups can view individual DFS folders
Warning
Access-based enumeration does not prevent users from getting a referral to a folder target if they already know the DFS path. Only the share permissions or the NTFS file system permissions of the folder target (shared folder) itself can prevent users from accessing a folder target. DFS folder permissions are used only for displaying or hiding DFS folders, not for controlling access, making Read access the only relevant permission at the DFS folder level. For more information, see Using Inherited Permissions with Access-Based Enumeration.
Enabling access-based enumeration on a namespace
Using the Windows interface
Using a command line
Tip
To manage access-based enumeration on a namespace by using Windows PowerShell, use the Set-DfsnRoot, Grant-DfsnAccess, and Revoke-DfsnAccess cmdlets. The DFSN Windows PowerShell module was introduced in Windows Server 2012.
To enable access-based enumeration by using the Windows interface
In the console tree, under the Namespaces node, right-click the appropriate namespace and then click Properties .
Click the Advanced tab and then select the Enable access-based enumeration for this namespace check box.
To enable access-based enumeration by using a command line
Open a command prompt window on a server that has the Distributed File System role service or Distributed File System Tools feature installed.
Type the following command, where <namespace_root> is the root of the namespace:
dfsutil property abe enable \\ <namespace_root>
Controlling which users and groups can view individual DFS folders
Using the Windows interface
Using a command line
To control folder visibility by using the Windows interface
In the console tree, under the Namespaces node, locate the folder with targets for which you want to control visibility, right-click it and then click Properties .
Click the Advanced tab.
Click Set explicit view permissions on the DFS folder and then Configure view permissions .
Add or remove groups or users by clicking Add or Remove .
To allow users to see the DFS folder, select the group or user and then select the Allow check box.
To hide the folder from a group or user, select the group or user and then select the Deny check box.
To control folder visibility by using a command line
Open a command prompt window on a server that has the Distributed File System role service or Distributed File System Tools feature installed.
Type the following command, where <DFSPath> is the path of the DFS folder (link), <DOMAIN\Account> is the name of the group or user account, and (…) is replaced with additional Access Control Entries (ACEs):
dfsutil property sd grant <DFSPath> DOMAIN\Account:R (…) Protect Replace
For example, to replace existing permissions with permissions that allows the Domain Admins and CONTOSO\Trainers groups Read (R) access to the
\\contoso.office\public\training
folder, type the following command:dfsutil property sd grant \\contoso.office\public\training ”CONTOSO\Domain Admins”:R CONTOSO\Trainers:R Protect Replace
To perform additional tasks from the command prompt, use the following commands
Command Description Dfsutil property sd deny
Denies a group or user the ability to view the folder.
Dfsutil property sd reset
Removes all permissions from the folder.
Dfsutil property sd revoke
Removes a group or user ACE from the folder.