So Windows Server Dfs apparently does support Access-Based Enumeration (ABE) on from Server 2008. But it does not seem to work out-of-the box - mere creation of links in a root does make them visible to everyone in the domain, irrespective if users have read permissions on the target or not.
So how do I make it work?
According to the documentation for Dfs ABE, the following two conditions need to be met:
So 1. is rather easy. A simple call of
dfsutil property abde enable \\<domain>\<DfsRoot>
will do what's needed. 2. is more complicated as you probably will not want to set link permissions manually. The basic idea is to script reading of the link targets' permissions and call
dfsutil property acl grant \\<domain>\<DfsRoot> <permission list>
with the data gathered. Powershell is the tool of choice here. This script which is simple enough to just be listed here will handle one level of Dfs links:
# Dfs-SetLinkACEsToTargetACEs.ps1
# Automation for Access-Based Enumeration on Dfs links
# Call: .\Dfs-SetLinkACEsToTargetACEs.ps1 -DfsRootPath \\<Domain>\<DfsRoot>
Param (
[Parameter(Mandatory=$true)]
[string]$DfsRootPath
)
Get-ChildItem $DfsRootPath | ForEach-Object {
$DfsTargetPath = $_.FullName
$AccessGrant = @()
$AccessDeny = @()
(Get-Acl $DfsTargetPath).Access | ForEach-Object {
# exclude security principals which do not resolve correctly
If (-not ($_.IdentityReference.Value -like "S-1-5-21*")) {
If ($_.AccessControlType -eq "Allow") {
$AccessGrant += "$($_.IdentityReference):R"
}
If ($_.AccessControlType -eq "Deny") {
$AccessDeny += "$($_.IdentityReference):R"
}
}
}
If ($AccessGrant.Count -gt 0) {
dfsutil property acl grant "$DfsTargetPath" $AccessGrant Protect Replace
}
If ($AccessDeny.Count -gt 0) {
dfsutil property acl deny "$DfsTargetPath" $AccessDeny
}
}
You obviously can automate this to run frequently by creating a scheduled task on one of your servers.
Note that you will need to have at least the "read permissions" right on the link target and the management delegation on the Dfs root for successful execution.