Made this script to take care of the permissions on the folder links. It
will take the permissions from the shared folders using icacls and then feed
it into the dfsutil utility to set the permissions on the folder links.
Working so far even after rebooting.
Create a \ACLs dir in your script dir before running.
Const FOR_READING = 1
Const OpenAsDefault = -2
Const FailIfNotExist = 0
strFolder = "F:\SharedVol1" 'folder shares
strDestination = "e:\DFSRoots\Shared" 'folder links
strDFSPath = "\\server\shared\"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShell = WScript.CreateObject("WScript.Shell")
Set objFolder = objFSO.GetFolder(strFolder)
WScript.Echo objFolder.Path
Set colSubFolders = objFolder.SubFolders
For Each objFolder In colSubFolders
'objShell.Run("cmd /c icacls " & Chr(34)& objFolder & Chr(34) & " /save " &
Chr(34) & ".\ACLs\" & objFolder.Name & ".bin" & Chr(34)& " /L"),1,False
'wscript.echo "cmd /k icacls " & Chr(34) & objFolder & Chr(34) & " /save "
& Chr(34) & ".\ACLs\" & objFolder.Name & ".bin" & Chr(34)& " /L"
Next
strPresent = "D:" 'Identifies the read line as a DACL
For Each objFolder In colSubFolders
strBinFile = ".\ACLs\" & ObjFolder.Name & ".bin"
wscript.echo strBinFile
Set objFile = ObjFSO.OpenTextFile(strBinFile , FOR_READING, FailIfNotExist,
OpenAsDefault)
Do Until objFile.AtEndOfStream
strSDDL = objFile.ReadLine
wscript.echo strSDDL
If InStr(Left(strSDDL, 2),strPresent)= 1 Then
objShell.Run("cmd /c dfsutil property ACL set " & Chr(34) & strDFSPath &
objFolder.Name & Chr(34) & " " & strSDDL)
wscript.echo "cmd /c dfsutil property ACL set " & Chr(34) & strDFSPath &
objFolder.Name & Chr(34) & strSDDL
Else
'Wscript.Echo "Line is not needed: " & strSDDL
End If
Loop
objFile.Close
Next
Post by RichOh i just found something else out playing around with some scripts. It
looks like it would be possible to grab the security info from the folders
using ICACLS and then pipe the SDDL results into the dfsutil command. This
would allow me to set the permissions and resync them later on a few hundred
folder links all at once. I will post a example of script if it works.
Thanks.
Post by RichI had the same problems with DFS resetting the ACLs on the folder links also.
It seems that cacls worked for 2003 but that appears to no longer be the case
with 2008. I found that you can keep the permissions from resetting if you
use the dfsutil to set the permission. So far I havent been able to find a
detailed doc that shows why and how to properly setup ABE with DFS.
dfsutil property ACL grant \\contoso.com\DomainNamespace1\Link1
CONTOSO\UserId:R
Post by ChoodeeI too have the same problem with DFS and ABE. What you will find annoying is
that rebooting your DFS server will reset the custom DFS ACL's and disable
ABE on all DFS folder targets. This seems like a big bug to me and had i
known i would not have implemented DFS for my company. My saving grace is
that i use Window server 2008 DC's with DFS running in native mode. The DC's
are hardly rebooted so i have time to possibly create a script to
automatically apply acls. However, common sense tells me that dfs links
should copy dfs target acls.
Thanks
Sandee
Post by RichThanks for the reply. I was hoping that it would refer to the folder
permissions and not require that I have to set file permissions on the links
themselves. I have hundreds of folder links that I will need to set
permissions on which will call for creating a script to read in the current
folder perms and then applying them to the links. Something that to me
doesnt make sense that it would not be using the folder permissions for ABE.
Thanks again.
Post by pwijnantsHi Rich,
I was having the same problem, i could'nt find anything on the net, this is
1. Enable the ABE on the DFSpath
dfsutil property ABE <DFSPath>
2. Get rid of any group at the toplevel that includes users. I had my
dfsroots created on the c: drive and the users group was herited down to mys
dfs links, so the user saw every link. After deleting the users group, i
did'nt see any link.
3. You can set the right on the link with
dfsutil property ACL grant \\contoso.com\DomainNamespace1\Link1
CONTOSO\UserId:R
Read right is enough, it is just used for the ABE to have access to it,
afterwards the rigths of the linked share are taken into account
After this it seems to work