Friday, November 29, 2013

Mapping drives with Group Policy to a DFS Target that is using ABE

This blog post is something that we'll be migrating towards to fix several annoyances that I have with our infrastructure. We have one giant clusterfuck of login scripts here. At a certain point someone thought it would be a great idea to give every AD user their own to map drives with and not standardize anything. We also have WAY too many file servers with user and department drives. Combination of clustered/standalone, physical/virtual, windows 2003/2008/2008R2. We'll be moving away from all of them to groups of DFS namespaces. I've created two servers DFS01 and DFS02. They will be housing the Depts DFS namespace on their E: drives. After all department drives have been moved over, we will also have a set for home drives, and certain areas that would need their own.

The Design:

Using the GPO over all of my users I entered in a drive mapping to the DFS namespace with Item-level targeting. We have many people that need access to more than one department drive, so why use up drive letters needlessly? When these department drives were mapped I didn't want anyone to see a department they either weren't a member of or didn't manage. The department drive will be the T: mapped drive for everyone, company wide, and the departments you need to view will show up based on what AD security group you are a member of. Everything will be setup for growth, using best practices. No more adding user accounts to shares and NTFS permissions, or file servers crashing and preventing logins for hours, or a 3TB clustered file server decide it wants to chkdsk in the middle of the day, should I go on? no? fine then.....


  1. Install DFS - It's a Role Service under File Services. If you are unsure how to do this, google it, or wing it. It's not that bad.
  2. On the E: drive I created two folders "DFS" and "Shares". I've shared "Shares" as Shares$ with Authenticated Users having Read NTFS permission.

File Share Creation:

  1. Navigate to your "Shares" folder and create your first folder that you plan on mapping DFS to. In this example I have created a BusAnalysts folder that only has Admins and the DFS-BusAnalyst security group in AD as read/change for NTFS permissions. I'll also follow the same structure to create a CareMgmt folder to show that one will show up and the other won't later on when ABE has been finished.

Distributed File Servers and Access-Based Enumeration:

  1. Open up DFS Management
  2. Right-click on Namespaces and select "New Namespace"
  3. Enter the Name of your DFS Server, ours is listed as DFS-SERVER01, and in later screenshots is changed to a blurry spot DFS01.
  4. Now select your DFS name, ours will be "Depts".
  5. Select Edit Settings. The local path of the shared folder needs to point to the DFS folder that was created in step 2. The default points to the C: drive, and that's not what you want. The permissions will be set to the same (Everyone removed, & Authenticated Users = Read) under Customize. Click "OK">"OK">"Next".
  6. Select the defaults on the next screen and then "Next".
  7. Verify all the information is correct and click "Create" then "Close".
  8. Next we have to enable ABE. Right-click on your namespace go to Properties>Advanced and select "Enable access-based enumeration for this namespace" and "OK".
  9. Now create a new DFS Folder that will map to your shared sub-folder. The preview of the namespace should be pointed to where you specified in step 5, and will show up as a shortcut in that folder when you view it on the server. The folder targets should be pointing to the folder under Shares$. Click "OK".
  10. This is the part that pretty much eluded me for a week or so. I guess I just assumed ABE would pick up and do the right thing without any additional intervention.... WRONG!!   soooo Right-click on your newly created DFS folder and go to Properties>Advanced> and select the "Set explicit view permissions on the DFS folder" radio button. Add your specific DFS group to be able to see this DFS target, in this case it's DFS-BusAnalyst. I'll do the same thing for the CareMgmt folder as well as every other DFS folder that is added.

Group Policy Drive Mapping:

  1. In the proper GPO (where your users are located) navigate to User Configuration>Preferences>Windows Settings>Drive Maps to create a new drive mapping.
  2. The location will be the DFS target, in this case it's \\domain.local\depts, I've labeled it as "Department Drive", and I'm using the T: drive.
  3. Navigate to the Common tab and select "Item-level Targeting".
  4. Under "Targeting" we'll want a rule saying that it will apply to any user that is in a certain security group. Our naming convention will be DM(drive map)-ABCD(company name)-DFS-DEPT. So as long as you are in the DM-ABCD-DFS-DEPT you will have a T: drive mapped to //domain.local/depts when you login.

And we're done! On our way to becoming that much more organized :)