by coderaven at 2012-09-04 12:46:00
I wanted to see if anyone knows how to determine if a folder is shared via DFS
I want to automate the setting of the file permissions for my company. We have a domain DFS that has a DFS folder called Share at the root. Under this Share folder there are 300+ different share for different departments or needs. Inside these sub folders permissions may be restricted to a further subset of users. Using ABE in DFS and the file system, users only see the folders they have access as they browse.
– Department 1
– Department 2
— Department 2 – Private Files
— Department 2 – Super Files
Path to Super Files — \\domain\dfsroot\share\department 2\PrivateFiles\SuperFiles
At the Department 2 folder the ACL contains the users in department 2 Group with Modify Access (This Folder\Subfolders\and files), PrivateFiles Group with ReadAndExecute (This Folder Only), SuperFiles Group with ReadAndExecute (This Folder Only)
At the PrivateFiles folder the ACL contains the PrivateFIles Group with Modify Access (This Folder\Subfolder and Files), SuperFiles group with ReadAndExecute (This Folder Only)
At the SuperFiles folder the ACL contains the SuperFiles group with Modify (This Folder\ Subfolders\ and files)
On the Department 2 folder – Department 2 Group, PrivateFiles Group and SuperFiles Group have Allow access to see the top level folder in a DFS for ABE
In an effort to automate this I can handle the access easily in DFS and the file ACL but, the script does not really know where to stop and where to set the DFS permissions, it there a way to determine this?
by poshoholic at 2012-09-04 13:02:33
When you say this:
[quote]In an effort to automate this I can handle the access easily in DFS and the file ACL but, the script does not really know where to stop and where to set the DFS permissions, it there a way to determine this?[/quote]
Do you mean to indicate you have already automated some of this work, but that you're having an issue with the recursion? The detail you provided here is great, but it would be even better if you also shared the script you have, or a modified/simplified version of it, with a specific issue you're facing in that script so that we can focus on the specific issue rather than re-creating what you have already created.
by coderaven at 2012-09-04 13:48:05
I can automate setting the permissions if I run a script with explicit settings for each level. But I would like to say set permissions on X sub folder and allow users to run it. If so by default when I grant entry level ACL permission (ReadAndExecute – This Folder Only), the script cannot determine where to stop, what is a true path or just a dfs area. In effect it would try to set permissions on the DFSRoot folder. My only idea is to create a function that would analyze the entire DFS structure of one or more DFS trees and try to determine if \\path\to\folder is DFS or not.
by poshoholic at 2012-09-05 13:22:34
I haven't personally used DFS, but I did a quick search and it seems you can manage it using WMI, as identified here: http://msdn.microsoft.com/en-us/library/aa390360(VS.85).aspx. Perhaps using Get-WmiObject with the Win32_DFSNode, Win32_DFSTarget, and Win32_DFSNodeTarget classes will help you identify which paths are DFS folders.