在命名空間上啟用存取型列舉Enable access-based enumeration on a namespace

適用於:Windows Server (半年度管道)、Windows Server 2016、Windows Server 2012 R2、Windows Server 2012、Windows Server 2008 R2、Windows Server 2008Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008

存取型列舉可以隱藏使用者沒有存取權限的檔案和資料夾。Access-based enumeration hides files and folders that users do not have permissions to access. 預設情況下不會為 DFS 命名空間啟用此功能。By default, this feature is not enabled for DFS namespaces. 您可以使用 DFS 管理來啟用 DFS 資料夾的存取型列舉。You can enable access-based enumeration of DFS folders by using DFS Management. 若要控制資料夾目標中檔案和資料夾的存取型列舉,您必須使用 [共用與存放管理],在每個共用資料夾上啟用存取型列舉。To control access-based enumeration of files and folders in folder targets, you must enable access-based enumeration on each shared folder by using Share and Storage Management.

若要在命名空間上啟用存取型列舉,所有命名空間伺服器都必須執行 Windows Server 2008 或更新版本。To enable access-based enumeration on a namespace, all namespace servers must be running Windows Server 2008 or newer. 此外,網域型命名空間也必須使用 Windows Server 2008 模式。Additionally, domain-based namespaces must use the Windows Server 2008 mode. 如需 Windows Server 2008 模式的需求相關資訊,請參閱選擇命名空間類型For information about the requirements of the Windows Server 2008 mode, see Choose a Namespace Type.

在某些環境中,啟用存取型列舉可能會造成伺服器上 CPU 使用率偏高並減緩使用者的回應時間。In some environments, enabling access-based enumeration can cause high CPU utilization on the server and slow response times for users.

注意

如果您將網域功能升級到 Windows Server 2008 時仍有現有的網域型命名空間,DFS 管理可讓您在這些命名空間上啟用存取型列舉。If you upgrade the domain functional level to Windows Server 2008 while there are existing domain-based namespaces, DFS Management will allow you to enable access-based enumeration on these namespaces. 不過,您將無法編輯權限來向任何群組或使用者隱藏資料夾,除非您將命名空間移轉至 Windows Server 2008 模式。However, you will not be able to edit permissions to hide folders from any groups or users unless you migrate the namespaces to the Windows Server 2008 mode. 如需詳細資訊,請參閱將網域型命名空間移轉到 Windows Server 2008 模式For more information, see Migrate a Domain-based Namespace to Windows Server 2008 Mode.

若要在 DFS 命名空間上使用存取型列舉,您必須執行下列步驟:To use access-based enumeration with DFS Namespaces, you must follow these steps:

  • 在命名空間上啟用存取型列舉Enable access-based enumeration on a namespace
  • 控制哪些使用者和群組可以檢視個別 DFS 資料夾Control which users and groups can view individual DFS folders

警告

存取型列舉無法防止使用者轉介至他們已知其 DFS 路徑的資料夾目標。Access-based enumeration does not prevent users from getting a referral to a folder target if they already know the DFS path. 只有資料夾目標 (共用資料夾) 本身的共用權限或 NTFS 檔案系統權限才能防止使用者存取資料夾目標。Only the share permissions or the NTFS file system permissions of the folder target (shared folder) itself can prevent users from accessing a folder target. DFS 資料夾權限僅能用來顯示或隱藏 DFS 資料夾,不能用於在 DFS 資料夾層級控制存取、設定相關權限的讀取存取權。DFS folder permissions are used only for displaying or hiding DFS folders, not for controlling access, making Read access the only relevant permission at the DFS folder level. 如需詳細資訊,請參閱使用繼承的權限搭配存取型列舉For more information, see Using Inherited Permissions with Access-Based Enumeration


您可以使用 Windows 介面或使用命令列,來啟用命名空間的存取型列舉。You can enable access-based enumeration on a namespace either by using the Windows interface or by using a command line.

若要使用 Windows 介面啟用存取型列舉To enable access-based enumeration by using the Windows interface

  1. 在主控台樹狀目錄的 [命名空間] 節點下,於適當的命名空間上按一下滑鼠右鍵,再按一下 [內容]In the console tree, under the Namespaces node, right-click the appropriate namespace and then click Properties .

  2. 按一下 [進階] 索引標籤,然後選取 [啟用此命名空間的存取型列舉] 核取方塊。Click the Advanced tab and then select the Enable access-based enumeration for this namespace check box.

若要使用命令列啟用存取型列舉To enable access-based enumeration by using a command line

  1. 在具有 [分散式檔案系統] 角色服務或已安裝 [分散式檔案系統工具] 功能的伺服器上,開啟命令提示字元視窗。Open a command prompt window on a server that has the Distributed File System role service or Distributed File System Tools feature installed.

  2. 輸入下列命令,其中 <namespace_root> 是命名空間的根目錄:Type the following command, where <namespace_root> is the root of the namespace:

    dfsutil property abe enable \\ <namespace_root>
    

提示

若要使用 Windows PowerShell 來管理命名空間上的存取型列舉,請使用 Set-DfsnRootGrant-DfsnAccessRevoke-DfsnAccess Cmdlet。To manage access-based enumeration on a namespace by using Windows PowerShell, use the Set-DfsnRoot, Grant-DfsnAccess, and Revoke-DfsnAccess cmdlets. DFSN Windows PowerShell 模組於 Windows Server 2012 中引進。The DFSN Windows PowerShell module was introduced in Windows Server 2012.

您可以使用 Windows 介面或使用命令列,來控制哪些使用者和群組可以檢視哪些 DFS 資料夾。You can control which users and groups can view individual DFS folders either by using the Windows interface or by using a command line.

若要使用 Windows 介面控制資料夾可見性To control folder visibility by using the Windows interface

  1. 在主控台的 [命名空間] 節點下方,找到您要控制可見性的含目標資料夾,以滑鼠右鍵按一下它,然後按一下 [屬性]In the console tree, under the Namespaces node, locate the folder with targets for which you want to control visibility, right-click it and then click Properties.

  2. 按一下 [進階] 索引標籤。Click the Advanced tab.

  3. 按一下 [設定 DFS 資料夾的明確檢視權限],然後按一下 [設定檢視權限]Click Set explicit view permissions on the DFS folder and then Configure view permissions.

  4. 按一下 [新增][移除],新增或移除群組或使用者。Add or remove groups or users by clicking Add or Remove.

  5. 若要允許使用者查看 DFS 資料夾,請選取群組或使用者,然後選取 [允許] 核取方塊。To allow users to see the DFS folder, select the group or user, and then select the Allow check box.

    若要隱藏資料夾不顯示給群組或使用者,請選取群組或使用者,然後選取 [拒絕] 核取方塊。To hide the folder from a group or user, select the group or user, and then select the Deny check box.

若要使用命令列控制資料夾可見性To control folder visibility by using a command line

  1. 在具有 [分散式檔案系統] 角色服務或已安裝 [分散式檔案系統工具] 功能的伺服器上,開啟命令提示字元視窗。Open a Command Prompt window on a server that has the Distributed File System role service or Distributed File System Tools feature installed.

  2. 輸入下列命令,其中 <DFSPath> 是 DFS 資料夾的路徑 (連結)、<DOMAIN\Account> 是群組或使用者帳戶的名稱,而 (...) 會更換為其他存取控制項目 (ACE):Type the following command, where <DFSPath> is the path of the DFS folder (link), <DOMAIN\Account> is the name of the group or user account, and (...) is replaced with additional Access Control Entries (ACEs):

    dfsutil property sd grant <DFSPath> DOMAIN\Account:R (...) Protect Replace
    

    例如,若要將現有權限更換為允許 Domain Admins 及 CONTOSO\Trainers 群組對 \contoso.office\public\training 資料夾具有讀取 (R) 存取權,請輸入下列命令:For example, to replace existing permissions with permissions that allows the Domain Admins and CONTOSO\Trainers groups Read (R) access to the \contoso.office\public\training folder, type the following command:

    dfsutil property sd grant \\contoso.office\public\training "CONTOSO\Domain Admins":R CONTOSO\Trainers:R Protect Replace 
    
  3. 若要從命令提示字元執行其他工作,請使用下列命令:To perform additional tasks from the command prompt, use the following commands:

命令Command 描述Description
Dfsutil property sd denyDfsutil property sd deny 拒絕群組或使用者檢視資料夾的能力。Denies a group or user the ability to view the folder.
Dfsutil property sd resetDfsutil property sd reset 移除資料夾的所有權限。Removes all permissions from the folder.
Dfsutil property sd revokeDfsutil property sd revoke 從資料夾移除群組或使用者 ACE。Removes a group or user ACE from the folder.

請參閱See also