0

First off, I am obviously no expert in DFS nor NTFS permissions. I have been looking for an answer to my problem high and low but did not come across something relevant. With that out of the way:

I'm trying to restrict access to shared folders with AD groups and NTFS permissions. Share settings are Full Control for Everyone. DFS-N is used in standalone config.

We noticed that when moving files/folders to another folder with different permissions, the NTFS permissions did not get updated but remain the same as the source folder. This only happens when moving AND when the particular user is not the Owner of the file/folder.

Shares are exported through one DFS folder which on the file server contains all department folders. So when moving between one department folder and another within the same DFS namespace this issue occurs.

When mapping the folders individually as DFS share folders, permissions get updated correctly. When mapping each folder directly on \servername\sharename, permissions get updated correctly.

Is this normal behaviour that within one DFS namespace folder permissions retain their original value? When viewing Properties of the file/folder after the move, the advanced settings show inherited from parent object instead of the actual new folder name.

Should I export every share with individual permissions as distinct DFS folder?

How can I create i.e. a folder structure as follows:

Projects ---- Marketing and Accounting Projects (Inheritance disabled) ---- Accounting and Sales Projects (Inheritance disabled)

Ans export the Projects folder while correctly updating the NTFS permissions when moving between both subfolders of the Projects folder?

I hope this somehow makes sense to someone. Any help greatly appreciated.

maspiter
  • 1

1 Answers1

1

We noticed that when moving files/folders to another folder with different permissions, the NTFS permissions did not get updated but remain the same as the source folder.

That is the expected behavior. When moving files on the same volume, the files retain their original NTFS permissions.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Thanks for your confirmation, I was afraid this might be the case. But why then does it change permissions when the user own the file? This seems contradictory to me ... – maspiter Feb 27 '18 at 08:20
  • And by "Volume" you mean the DFS namespace folder right? – maspiter Feb 27 '18 at 12:08
  • No. By "Volume" I mean Windows Volume (partition). The permissions have nothing to do with DFS. When you move files within the same Windows Volume that is formatted with the NTFS file system the files retain their source permissions. – joeqwerty Feb 27 '18 at 15:14
  • So when mapping the shared folders by name (not DFS) they are treated as individual volumes. But exporting those same shares through one DFS namespace folder (for all shares) also acts like a volume. Right? – maspiter Mar 02 '18 at 11:12
  • This has nothing to do with DFS or with the fact that the folders are shared. This is about how NTFS treats permissions when moving or copying files on the same Windows volume (partition) or moving them to a different Windows volume (partition). – joeqwerty Mar 02 '18 at 13:57
  • Ok, then why is it that moving from/to the same locations (on the same NTFS volume) but accessed through a different DFS folder DOES adjust the rights properly? So folders X and Y accessed via \\mydfs\shared does not work properly but the same folders accessed via \\mydfs\X and \\mydfs\Y does work. Appreciate your answers, just trying to understand the observed behaviour. – maspiter Mar 09 '18 at 13:04