5

I have made a DFS Namespace named \\dc1\bank. There are some other folders from another file servers(for example \\dc1\bank\folder1 is the folder on \\fs1\folder1). I want to restrict users to direct access to folders on the other file servers (for example: restricting to direct access to \\fs1\folder1 ). Can I do this in windows server 2008 R2 ?

MDMarra
  • 100,183
  • 32
  • 195
  • 326
arash
  • 51
  • 1
  • 2
  • I think you would just need to set the permissions to disallow those users to logon to the machine who's folders you don't want them to access directly. Then they can only access through the share, thats my thoughts. – Chris Marisic Nov 14 '11 at 13:39

3 Answers3

3

Just set give the users Traverse Directory only on \\dc1\bank and they'll only be able to navigate the directory. If you don't give them List Folder/Read Data, then they won't even be able to see anything in it.

Then just give them whatever permissions they need on \\fs1\folder1 and map it to the users however you normally would (GPO, logon script, email the link, etc). The security model is identical to how you would solve this problem without DFS.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • 1
    thank you Mark but my issue is that i want users can access to the "\\fs1\folder1" just by typing "\\dc1\bank" (i have don this by DFSn).the problem is i want to prevent accessing to "\\fs1\folder1" by direct typing "\\fs1\folder1". is this issue need any third party applications? again thank to all. – arash Nov 16 '11 at 06:01
  • 1
    Oh, in that case you can't do that. When you go to the dfs path, there is a transparent link to the server path. What you're asking for isn't possible. – MDMarra Nov 16 '11 at 11:48
0

There is simply no way of doing what you want to do. Since DFS is just a referal to the actual server, not a pass through.

When a user accesses \dc1\bank he is redirected to the dfs target. The data is not feed through dc1!

You could use a $ share. That way the user doesn't see it immediatily when accessing \fs1.

But when you right-click e.g. on the network drive, the user can see where \dc1\bank points to. Then they can access the dollar share.

Jonathan
  • 575
  • 1
  • 7
  • 17
0

You could rename the share on FS1, so if they type \FS1\Folder1 it simply won't work anymore. DFS will use the new share name that you assign, and so the only way for them to get there would be through DFS.

Sandra
  • 261
  • 1
  • 9