使用继承的权限执行基于访问的枚举Using inherited permissions with Access-based Enumeration

适用于: Windows Server 2019,Windows Server (半年通道) ,Windows Server 2016,Windows Server 2012 R2,Windows Server 2012,Windows Server 2008 R2,Windows Server 2008Applies to: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008

默认情况下,用于 DFS 文件夹的权限从命名空间服务器的本地文件系统继承。By default, the permissions used for a DFS folder are inherited from the local file system of the namespace server. 权限继承自系统驱动器的根目录,并向域 \ 用户组授予读取权限。The permissions are inherited from the root directory of the system drive and grant the DOMAIN\Users group Read permissions. 因此,即使在启用基于访问的枚举后,命名空间中的所有文件夹仍对所有域用户可见。As a result, even after enabling access-based enumeration, all folders in the namespace remain visible to all domain users.

继承的权限的优点和限制Advantages and limitations of inherited permissions

使用继承的权限控制哪些用户可以查看 DFS 命名空间中的文件夹主要有下面两个优点:There are two primary benefits to using inherited permissions to control which users can view folders in a DFS namespace:

  • 你可以将继承的权限快速应用于多个文件夹,而不必使用脚本。You can quickly apply inherited permissions to many folders without having to use scripts.
  • 你可以将继承的权限应用于命名空间根目录和不含目标的文件夹。You can apply inherited permissions to namespace roots and folders without targets.

尽管有诸多优点,但是,DFS 命名空间中的继承的权限也有很多限制,这使其不适用于大多数环境:Despite the benefits, inherited permissions in DFS Namespaces have many limitations that make them inappropriate for most environments:

  • 对继承的权限的修改内容无法复制到其他命名空间服务器。Modifications to inherited permissions are not replicated to other namespace servers. 因此,仅在独立命名空间或以下环境中使用继承的权限:可以实施第三方复制系统,以使访问控制列表 (ACL) 在所有命名空间服务器上保持同步。Therefore, use inherited permissions only on stand-alone namespaces or in environments where you can implement a third-party replication system to keep the Access Control Lists (ACLs) on all namespace servers synchronized.
  • DFS 管理和 Dfsutil 无法查看或修改继承的权限。DFS Management and Dfsutil cannot view or modify inherited permissions. 因此,若要管理命名空间,除了使用 DFS 管理或 Dfsutil,你还必须使用 Windows 资源管理器或 Icacls 命令。Therefore, you must use Windows Explorer or the Icacls command in addition to DFS Management or Dfsutil to manage the namespace.
  • 使用继承的权限时,你不能修改包含目标的文件夹的权限,但是使用 Dfsutil 命令除外。When using inherited permissions, you cannot modify the permissions of a folder with targets except by using the Dfsutil command. DFS 命名空间将使用其他工具或方法从包含目标的文件夹中自动删除权限。DFS Namespaces automatically removes permissions from folders with targets set using other tools or methods.
  • 如果你在使用继承的权限时设置包含目标的文件夹的权限,则你对包含目标的文件夹设置的 ACL 会结合使用从文件系统中的该文件夹的父项继承的权限。If you set permissions on a folder with targets while you are using inherited permissions, the ACL that you set on the folder with targets combines with inherited permissions from the folder's parent in the file system. 你必须检查这两组权限,以确定网络权限是什么。You must examine both sets of permissions to determine what the net permissions are.

备注

使用继承的权限时,最简单的方法是对命名空间根目录和不含目标的文件夹设置权限。When using inherited permissions, it is simplest to set permissions on namespace roots and folders without targets. 然后,对包含目标的文件夹使用继承的权限,以便这些文件夹可从其父项继承所有的权限。Then use inherited permissions on folders with targets so that they inherit all permissions from their parents.

使用继承的权限Using inherited permissions

若要限制哪些用户可以查看 DFS 文件夹,你必须执行以下任务之一:To limit which users can view a DFS folder, you must perform one of the following tasks:

  • 对文件夹设置显式权限,同时禁用继承。Set explicit permissions for the folder, disabling inheritance. 若要使用 DFS 管理或 Dfsutil 命令对包含目标(链接)的文件夹设置显式权限,请参阅对命名空间启用基于访问的枚举To set explicit permissions on a folder with targets (a link) using DFS Management or the Dfsutil command, see Enable Access-Based Enumeration on a Namespace.
  • 修改本地文件系统中的父项的继承权限Modify inherited permissions on the parent in the local file system. 若要修改由包含目标的文件夹继承的权限,如果你已对该文件夹设置显式权限,请从显式权限切换到继承的权限,如以下过程所述。To modify the permissions inherited by a folder with targets, if you have already set explicit permissions on the folder, switch to inherited permissions from explicit permissions, as discussed in the following procedure. 然后,使用 Windows 资源管理器或 Icacls 命令,以修改包含目标的文件夹从其中继承权限的文件夹的权限。Then use Windows Explorer or the Icacls command to modify the permissions of the folder from which the folder with targets inherits its permissions.

备注

如果用户已知包含目标的文件夹的 DFS 路径,则基于访问的枚举不会阻止他们获得对文件夹目标的引用。Access-based enumeration does not prevent users from obtaining a referral to a folder target if they already know the DFS path of the folder with targets. 使用 Windows 资源管理器或 Icacls 命令对命名空间根目录或不含目标的文件夹设置的权限,可控制用户是否可以访问 DFS 文件夹或命名空间根目录。Permissions set using Windows Explorer or the Icacls command on namespace roots or folders without targets control whether users can access the DFS folder or namespace root. 但是,这些权限不会阻止用户直接访问包含目标的文件夹。However, they do not prevent users from directly accessing a folder with targets. 只有共享权限或共享文件夹本身的 NTFS 文件系统权限,才能阻止用户访问该文件夹目标。Only the share permissions or the NTFS file system permissions of the shared folder itself can prevent users from accessing folder targets.

从显式权限切换到继承的权限To switch from explicit permissions to inherited permissions

  1. 在控制台树中的命名空间节点下,找到要控制其可见性的文件夹(包含目标),并右键单击该文件夹,然后单击属性In the console tree, under the Namespaces node, locate the folder with targets whose visibility you want to control, right-click the folder and then click Properties.

  2. 单击“高级”选项卡。Click the Advanced tab.

  3. 单击使用从本地文件系统继承的权限,然后在确认使用继承的权限对话框中单击确定Click Use inherited permissions from the local file system and then click OK in the Confirm Use of Inherited Permissions dialog box. 执行此操作时将删除对此文件夹显式设置的所有权限,同时从命名空间服务器的本地文件系统中还原继承的 NTFS 权限。Doing this removes all explicitly set permissions on this folder, restoring inherited NTFS permissions from the local file system of the namespace server.

  4. 若要更改 DFS 命名空间中的文件夹或命名空间根目录的继承的权限,请使用 Windows 资源管理器或 ICacls 命令。To change the inherited permissions for folders or namespace roots in a DFS namespace, use Windows Explorer or the ICacls command.

其他参考Additional References