Delegate management permissions for DFS Namespaces
The following table describes the groups that can perform basic namespace tasks by default, and the method for delegating the ability to perform these tasks:
Task | Groups that Can Perform this Task by Default | Delegation Method |
---|---|---|
Create a domain-based namespace | Domain Admins group in the domain where the namespace is configured | Right-click the Namespaces node in the console tree, and then click Delegate Management Permissions. Or use the Set-DfsnRoot GrantAdminAccounts and Set-DfsnRoot RevokeAdminAccounts. Windows PowerShell cmdlets (introduced in Windows Server 2012). You must also add the user to the local Administrators group on the namespace server. |
Add a namespace server to a domain-based namespace | Domain Admins group in the domain where the namespace is configured | Right-click the domain-based namespace in the console tree, and then click Delegate Management Permissions. Or use the Set-DfsnRoot GrantAdminAccounts and Set-DfsnRoot RevokeAdminAccounts. Windows PowerShell cmdlets (introduced in Windows Server 2012). You must also add the user to the local Administrators group on the namespace server to be added. |
Manage a domain-based namespace | Local Administrators group on each namespace server | Right-click the domain-based namespace in the console tree, and then click Delegate Management Permissions. |
Create a stand-alone namespace | Local Administrators group on the namespace server | Add the user to the local Administrators group on the namespace server. |
Manage a stand-alone namespace* | Local Administrators group on the namespace server | Right-click the stand-alone namespace in the console tree, and then click Delegate Management Permissions. Or use the Set-DfsnRoot GrantAdminAccounts and Set-DfsnRoot RevokeAdminAccounts. Windows PowerShell cmdlets (introduced in Windows Server 2012). |
Create a replication group or enable DFS Replication on a folder | Domain Admins group in the domain where the namespace is configured | Right-click the Replication node in the console tree, and then click Delegate Management Permissions. |
*Delegating management permissions to manage a stand-alone namespace does not grant the user the ability to view and manage security by using the Delegation tab unless the user is a member of the local Administrators group on the namespace server. This issue occurs because the DFS Management snap-in cannot retrieve the discretionary access control lists (DACLs) for the stand-alone namespace from the registry.