使用繼承的權限搭配存取型列舉Using inherited permissions with Access-based Enumeration

適用於:Windows Server (半年度管道)、Windows Server 2016、Windows Server 2012 R2、Windows Server 2012、Windows Server 2008 R2、Windows Server 2008Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008

根據預設,用於 DFS 資料夾的權限是繼承自命名空間伺服器的本機檔案系統。By default, the permissions used for a DFS folder are inherited from the local file system of the namespace server. 權限繼承自系統磁碟機的根目錄,並授與 DOMAIN\Users 群組讀取權限。The permissions are inherited from the root directory of the system drive and grant the DOMAIN\Users group Read permissions. 因此,就算啟用存取型列舉,命名空間中的所有資料夾仍維持顯示給所有網域使用者。As a result, even after enabling access-based enumeration, all folders in the namespace remain visible to all domain users.

繼承的權限的優點和限制Advantages and limitations of inherited permissions

使用繼承的權限來控制哪些使用者可以檢視 DFS 命名空間的資料夾有兩個主要優點:There are two primary benefits to using inherited permissions to control which users can view folders in a DFS namespace:

  • 您可以將繼承的權限快速套用至多個資料夾,而不必使用指令碼。You can quickly apply inherited permissions to many folders without having to use scripts.
  • 您可以將繼承的權限套用至命名空間根目錄和不含目標的資料夾。You can apply inherited permissions to namespace roots and folders without targets.

儘管具有以上優點,DFS 命名空間中的繼承權限仍有許多限制,因此不適用於大多數環境:Despite the benefits, inherited permissions in DFS Namespaces have many limitations that make them inappropriate for most environments:

  • 對於繼承的權限所進行的修改不會複寫至其他命名空間伺服器。Modifications to inherited permissions are not replicated to other namespace servers. 因此,繼承的權限僅適用於獨立命名空間,或是您可以實作第三方複寫系統以在所有命名空間伺服器上保持存取控制清單 (ACL) 同步的環境。Therefore, use inherited permissions only on stand-alone namespaces or in environments where you can implement a third-party replication system to keep the Access Control Lists (ACLs) on all namespace servers synchronized.
  • DFS 管理和 Dfsutil 無法檢視或修改繼承的權限。DFS Management and Dfsutil cannot view or modify inherited permissions. 因此,您必須使用 Windows 檔案總管或 Icacls 命令,再加上 DFS 管理命令或 Dfsutil 來管理命名空間。Therefore, you must use Windows Explorer or the Icacls command in addition to DFS Management or Dfsutil to manage the namespace.
  • 使用繼承的權限時,除非使用 Dfsutil 命令,否則無法修改含目標資料夾的權限。When using inherited permissions, you cannot modify the permissions of a folder with targets except by using the Dfsutil command. DFS 命名空間會自動移除使用其他工具或方法來設定的含目標資料的權限。DFS Namespaces automatically removes permissions from folders with targets set using other tools or methods.
  • 如果您在使用繼承的權限時設定含目標資料的權限,您在含目標資料上設定的 ACL 會與繼承自檔案系統中父系資料夾的權限合併。If you set permissions on a folder with targets while you are using inherited permissions, the ACL that you set on the folder with targets combines with inherited permissions from the folder's parent in the file system. 您必須檢查這兩組權限,判斷淨權限是什麼。You must examine both sets of permissions to determine what the net permissions are.

注意

使用繼承的權限時,最簡單的方法是在命名空間根目錄和不含目標的資料夾上設定權限。When using inherited permissions, it is simplest to set permissions on namespace roots and folders without targets. 接著在含目標的資料夾上使用繼承的權限,使其繼承父系的所有權限。Then use inherited permissions on folders with targets so that they inherit all permissions from their parents.

使用繼承的權限Using inherited permissions

若要限制哪些使用者可以檢視 DFS 資料夾,您必須執行下列其中一項工作:To limit which users can view a DFS folder, you must perform one of the following tasks:

  • 設定明確的資料夾權限,停用繼承。Set explicit permissions for the folder, disabling inheritance. 若要使用 DFS 管理或 Dfsutil 命令在含目標的資料夾 (連結) 上設定明確的權限,請參閱在命名空間上啟用存取型列舉To set explicit permissions on a folder with targets (a link) using DFS Management or the Dfsutil command, see Enable Access-Based Enumeration on a Namespace.
  • 修改本機檔案系統父系上的繼承的權限Modify inherited permissions on the parent in the local file system. 若要修改繼承自含目標資料夾的權限,如果您已經在資料夾上設定明確的權限,請從明確的權限切換至繼承的權限,如下所述。To modify the permissions inherited by a folder with targets, if you have already set explicit permissions on the folder, switch to inherited permissions from explicit permissions, as discussed in the following procedure. 接著使用 Windows 檔案總管或 Icacls 命令修改資料夾 (含目標的資料夾會繼承其權限) 的權限。Then use Windows Explorer or the Icacls command to modify the permissions of the folder from which the folder with targets inherits its permissions.

注意

存取型列舉無法防止使用者轉介至他們已知含目標資料夾之 DFS 路徑的資料夾目標。Access-based enumeration does not prevent users from obtaining a referral to a folder target if they already know the DFS path of the folder with targets. 使用 Windows 檔案總管或 Icacls 命令在命名空間根目錄或不含目標資料夾上設定的權限集,控制著使用者是否可以存取 DFS 資料夾或命名空間根目錄。Permissions set using Windows Explorer or the Icacls command on namespace roots or folders without targets control whether users can access the DFS folder or namespace root. 不過,使用此方法無法防止使用者直接存取含目標的資料夾。However, they do not prevent users from directly accessing a folder with targets. 只有共用資料夾本身的共用權限或 NTFS 檔案系統權限,才能防止使用者存取資料夾目標。Only the share permissions or the NTFS file system permissions of the shared folder itself can prevent users from accessing folder targets.

若要從明確的權限切換至繼承的權限To switch from explicit permissions to inherited permissions

  1. 在主控台的 [命名空間] 節點下方,找到您要控制其可見性的含目標資料夾,以滑鼠右鍵按一下該資料夾,然後按一下 [屬性]In the console tree, under the Namespaces node, locate the folder with targets whose visibility you want to control, right-click the folder and then click Properties.

  2. 按一下 [進階] 索引標籤。Click the Advanced tab.

  3. 按一下 [使用從本機檔案系統繼承的權限],然後按一下 [確認使用繼承的權限] 對話方塊中的 [確定]Click Use inherited permissions from the local file system and then click OK in the Confirm Use of Inherited Permissions dialog box. 這樣會移除此資料夾上所有明確設定的權限、還原命名空間伺服器的本機檔案系統的繼承 NTFS 權限。Doing this removes all explicitly set permissions on this folder, restoring inherited NTFS permissions from the local file system of the namespace server.

  4. 若要變更 DFS 命名空間中資料夾或命名空間根目錄的繼承權限,請使用 Windows 檔案總管或 ICacls 命令。To change the inherited permissions for folders or namespace roots in a DFS namespace, use Windows Explorer or the ICacls command.

請參閱See also