for each DFS root replica the following should be enough e.g. (you will need to do this for EACH DFS root replica MANUALLY) C:\DFSnamespaces-------------------NTFS perms: Auth. Users->Read C:\DFSnamespaces\DFSroot-----------NTFS perms: Auth. Users->Read Share DFSroot OR DFSroot$ = C:\DFSnamespaces\DFSroot Share perms: Auth. Users->Read I say MANUALLY because normally you will not setup NTFRS/DFS-R replication for the DFS root itself. The root can be considered as a starting point/place holder and if it is a domain based DFS root the info is stored in AD and replicated. Again, in this case the NTFS perms and share perms are not replicated to other DFS root replicas because no file based replication is setup. IMHO, file based replication is ONLY setup for the DFS links below the DFS root Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : <see sender address>
________________________________ From: [EMAIL PROTECTED] on behalf of Lucas, Bryan Sent: Mon 2006-07-24 23:06 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Securing DFS We built a DFS Root on a windows 2000 domain controller and the root of the share has "Everyone" Full Control. E.g. if I go to \\domain.com <file:///\\domain.com> , right click on the dfs root's properties, the security tab. Can I simply take FC away? I'm a bit hesitant because it lives on the DC and came this way by default. Bryan Lucas Server Administrator Texas Christian University This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
<<winmail.dat>>