对命名空间启用基于访问的枚举Enable access-based enumeration on a namespace

适用于: Windows Server 2019,Windows Server (半年通道) ,Windows Server 2016,Windows Server 2012 R2,Windows Server 2012,Windows Server 2008 R2,Windows Server 2008Applies to: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008

基于访问的枚举可隐藏用户无权访问的文件和文件夹。Access-based enumeration hides files and folders that users do not have permissions to access. 默认情况下,对于 DFS 命名空间,不启用此功能。By default, this feature is not enabled for DFS namespaces. 你可以通过使用 DFS 管理对 DFS 文件夹启用基于访问的枚举。You can enable access-based enumeration of DFS folders by using DFS Management. 若要控制对文件夹目标中的文件和文件夹进行基于访问的枚举,必须通过使用共享和存储管理,对每个共享文件夹启用基于访问的枚举。To control access-based enumeration of files and folders in folder targets, you must enable access-based enumeration on each shared folder by using Share and Storage Management.

若要对命名空间启用基于访问的枚举,所有的命名空间服务器都必须运行的是 Windows Server 2008 或更高版本。To enable access-based enumeration on a namespace, all namespace servers must be running Windows Server 2008 or newer. 此外,基于域的命名空间必须使用 Windows Server 2008 模式。Additionally, domain-based namespaces must use the Windows Server 2008 mode. 有关 Windows Server 2008 模式的要求的信息,请参阅选择命名空间类型For information about the requirements of the Windows Server 2008 mode, see Choose a Namespace Type.

在某些环境中,启用基于访问的枚举可能会导致服务器上的 CPU 使用率较高,以及对用户的响应时间较长。In some environments, enabling access-based enumeration can cause high CPU utilization on the server and slow response times for users.

备注

如果在已有基于域的命名空间的情况下将域功能级别升级到 Windows Server 2008,则 DFS 管理将允许你对这些命名空间启用基于访问的枚举。If you upgrade the domain functional level to Windows Server 2008 while there are existing domain-based namespaces, DFS Management will allow you to enable access-based enumeration on these namespaces. 但是,你将无法编辑对任何组或用户隐藏文件夹的权限,除非你将命名空间迁移到 Windows Server 2008 模式。However, you will not be able to edit permissions to hide folders from any groups or users unless you migrate the namespaces to the Windows Server 2008 mode. 有关详细信息,请参阅将基于域的命名空间迁移到 Windows Server 2008 模式For more information, see Migrate a Domain-based Namespace to Windows Server 2008 Mode.

若要对 DFS 命名空间使用基于访问的枚举,必须执行以下步骤:To use access-based enumeration with DFS Namespaces, you must follow these steps:

  • 对命名空间启用基于访问的枚举Enable access-based enumeration on a namespace
  • 控制哪些用户和组可以查看单个 DFS 文件夹Control which users and groups can view individual DFS folders

警告

如果用户已知 DFS 路径,则基于访问的枚举不会阻止他们获得对文件夹目标的引用。Access-based enumeration does not prevent users from getting a referral to a folder target if they already know the DFS path. 只有共享权限或文件夹目标(共享文件夹)本身的 NTFS 文件系统权限,才能阻止用户访问该文件夹目标。Only the share permissions or the NTFS file system permissions of the folder target (shared folder) itself can prevent users from accessing a folder target. DFS 文件夹权限仅用于显示或隐藏 DFS 文件夹,而不用来控制访问权限,这使得读取访问权限是 DFS 文件夹级别的唯一相关权限。DFS folder permissions are used only for displaying or hiding DFS folders, not for controlling access, making Read access the only relevant permission at the DFS folder level. 有关详细信息,请参阅使用继承的权限执行基于访问的枚举For more information, see Using Inherited Permissions with Access-Based Enumeration


你可以使用 Windows 界面或命令行对命名空间启用基于访问的枚举。You can enable access-based enumeration on a namespace either by using the Windows interface or by using a command line.

使用 Windows 界面启用基于访问的枚举To enable access-based enumeration by using the Windows interface

  1. 在控制台树中的命名空间节点下,右键单击相应的命名空间,然后单击属性In the console tree, under the Namespaces node, right-click the appropriate namespace and then click Properties .

  2. 单击高级选项卡,然后选中对此命名空间启用基于存取的枚举复选框。Click the Advanced tab and then select the Enable access-based enumeration for this namespace check box.

使用命令行启用基于访问的枚举To enable access-based enumeration by using a command line

  1. 在安装了 "分布式文件系统角色服务" 或 "分布式文件系统工具" 功能的服务器上打开 "命令提示符" 窗口。Open a command prompt window on a server that has the Distributed File System role service or Distributed File System Tools feature installed.

  2. 键入以下命令,其中 <命名空间 _ 根> 是命名空间的根:Type the following command, where <namespace_root> is the root of the namespace:

    dfsutil property abe enable \\ <namespace_root>
    

提示

若要使用 Windows PowerShell 管理对命令空间的基于访问的枚举,请使用 Set-DfsnRootGrant-DfsnAccessRevoke-DfsnAccess cmdlet。To manage access-based enumeration on a namespace by using Windows PowerShell, use the Set-DfsnRoot, Grant-DfsnAccess, and Revoke-DfsnAccess cmdlets. Windows Server 2012 中引入了 DFSN Windows PowerShell 模块。The DFSN Windows PowerShell module was introduced in Windows Server 2012.

你可以使用 Windows 界面或命令行控制哪些用户和组可以查看单个 DFS 文件夹。You can control which users and groups can view individual DFS folders either by using the Windows interface or by using a command line.

使用 Windows 界面控制文件夹的可见性To control folder visibility by using the Windows interface

  1. 在控制台树中的命名空间节点下,找到要控制其可见性的文件夹(包含目标),右键单击该文件夹,然后单击属性In the console tree, under the Namespaces node, locate the folder with targets for which you want to control visibility, right-click it and then click Properties.

  2. 单击“高级”选项卡。Click the Advanced tab.

  3. 单击设置 DFS 文件夹的显式查看权限,然后再单击配置查看权限Click Set explicit view permissions on the DFS folder and then Configure view permissions.

  4. 单击添加删除,以添加或删除组或用户。Add or remove groups or users by clicking Add or Remove.

  5. 若要允许用户查看 DFS 文件夹,请选择相应的组或用户,然后选中允许复选框。To allow users to see the DFS folder, select the group or user, and then select the Allow check box.

    若要对组或用户隐藏该文件夹,请选择该组或用户,然后选中拒绝复选框。To hide the folder from a group or user, select the group or user, and then select the Deny check box.

使用命令行控制文件夹的可见性To control folder visibility by using a command line

  1. 在安装有分布式文件系统角色服务或分布式文件系统工具功能的服务器上打开命令提示符窗口。Open a Command Prompt window on a server that has the Distributed File System role service or Distributed File System Tools feature installed.

  2. 键入以下命令,其中* < DFSPATH > *是 DFS 文件夹 (链接) 的路径, <域 \ 帐户> 是组或用户帐户的名称, * ( ... ) *替换为其他访问控制项 (ace) :Type the following command, where <DFSPath> is the path of the DFS folder (link), <DOMAIN\Account> is the name of the group or user account, and (...) is replaced with additional Access Control Entries (ACEs):

    dfsutil property sd grant <DFSPath> DOMAIN\Account:R (...) Protect Replace
    

    例如,若要将现有权限替换为允许 Domain Admins 和 CONTOSO \ 讲师组读取 (R) 访问 office\public\training 文件夹的权限 \ ,请键入以下命令:For example, to replace existing permissions with permissions that allows the Domain Admins and CONTOSO\Trainers groups Read (R) access to the \contoso.office\public\training folder, type the following command:

    dfsutil property sd grant \\contoso.office\public\training "CONTOSO\Domain Admins":R CONTOSO\Trainers:R Protect Replace
    
  3. 若要从命令提示符执行其他任务,请使用以下命令:To perform additional tasks from the command prompt, use the following commands:

CommandCommand 描述Description
Dfsutil property sd denyDfsutil property sd deny 拒绝组或用户,使其无法查看文件夹。Denies a group or user the ability to view the folder.
Dfsutil property sd resetDfsutil property sd reset 从文件夹中删除所有权限。Removes all permissions from the folder.
Dfsutil property sd revokeDfsutil property sd revoke 从文件夹中删除组或用户 ACE。Removes a group or user ACE from the folder.

其他参考Additional References