Powershell: Set Access Based Enumeration on share in Failover Cluster

Similar Messages

• SMB Share with Access Based Enumeration & Mac OSX 10.8/10.9

  Hello,
  I've been working on a bit of a problem related to some SMB Shares on Windows Server 2012 with Access Based Enumeration with Mac OSX 10.8 & 10.9.
  Basically, we have one network share that mounts for all of our Students & Faculty on campus. Then, based on which security group the user is inside of in Active Directory, they gain access and visibility to different folders. (Basically, if they are members of the graphic design department, they get access to the Graphic Design's folder). All of that is working fine, no problems. From there we have 3 folders that branch off. We have a Distribution, an Open, and a Dropbox folder.
  Distribution is setup as a spot for instructors to have full access, students have read access, They're able to drop files into this locations, to distribute them to their students. This folder is working fine, no problems.
  Open is setup with everyone read/write access across the board. This folder is setup for students to share data to each other, work on projects, etc. This folder is working as intended, no problems.
  Dropbox is the only folder we're having trouble with, i'm assuming because it's settings are the most complex out of the three. The purpose of the drop box is for students to have read/write control over their own content, but not others, and instructors to have read/write over this entire folder.
  Now that I've laid out our Setup, the problem we've encountered, is ONLY occurring inside of the Dropbox folder. When I try to Drag/Drop OR Copy/Paste from another location on the computer into the Dropbox folder, I get a permission error. HOWEVER, if I have a file open, and I click "save as" browse to the dropbox folder, I can save the file into that location without any trouble. Also, on our windows computers, with the same exact users, drag/drop & Copy/Paste work normally.
  Things I've Tried:
  Disabling the .DS_Store - I figured in the drop box, the .DS_Store would be created by the first user who copied a file in, then subsequent users would not have access to the .DS_Store.
  CIFS/SMB1 - I've read that SMB2 can cause some trouble while connecting to SMB Shares, so I tried both connecting via CIFS, and also by forcing back to SMB1, with no fix.
  Am I missing something with this? I've read a lot about people having trouble connecting to SMB Shares, but for us it had not been a problem up until this point. Does anyone know what a possible fix might be for this? I'm sifting through internet searches right now, trying to find a solution, however MOST of the responses I see are regarding the two things I've already tried.
  Any suggestions would be greatly appreciated.
  Thanks!

  hi everybody
  I really need some help so here is a little up !
  thanks !

• OSX 10.8 and SMB Shares with Access Based Enumeration.

  Hello,
  I've been working on a bit of a problem related to some SMB Shares on Windows Server 2012 with Access Based Enumeration with Mac OSX 10.8 & 10.9.
  Basically, we have one network share that mounts for all of our Students & Faculty on campus. Then, based on which security group the user is inside of in Active Directory, they gain access and visibility to different folders. (Basically, if they are members of the graphic design department, they get access to the Graphic Design's folder). All of that is working fine, no problems. From there we have 3 folders that branch off. We have a Distribution, an Open, and a Dropbox folder.
  Distribution is setup as a spot for instructors to have full access, students have read access, They're able to drop files into this locations, to distribute them to their students. This folder is working fine, no problems.
  Open is setup with everyone read/write access across the board. This folder is setup for students to share data to each other, work on projects, etc. This folder is working as intended, no problems.
  Dropbox is the only folder we're having trouble with, i'm assuming because it's settings are the most complex out of the three. The purpose of the drop box is for students to have read/write control over their own content, but not others, and instructors to have read/write over this entire folder.
  Now that I've laid out our Setup, the problem we've encountered, is ONLY occurring inside of the Dropbox folder. When I try to Drag/Drop OR Copy/Paste from another location on the computer into the Dropbox folder, I get a permission error. HOWEVER, if I have a file open, and I click "save as" browse to the dropbox folder, I can save the file into that location without any trouble. Also, on our windows computers, with the same exact users, drag/drop & Copy/Paste work normally.
  Things I've Tried:
  Disabling the .DS_Store - I figured in the drop box, the .DS_Store would be created by the first user who copied a file in, then subsequent users would not have access to the .DS_Store.
  CIFS/SMB1 - I've read that SMB2 can cause some trouble while connecting to SMB Shares, so I tried both connecting via CIFS, and also by forcing back to SMB1, with no fix.
  Am I missing something with this? I've read a lot about people having trouble connecting to SMB Shares, but for us it had not been a problem up until this point. Does anyone know what a possible fix might be for this? I'm sifting through internet searches right now, trying to find a solution, however MOST of the responses I see are regarding the two things I've already tried.
  Any suggestions would be greatly appreciated.
  Thanks!
  iMac, OS X Mountain Lion (10.8.5)

  Just thought I'd post this in case it helps someone. This could be the same problem we have (had) here so try this:
  When it asks for name and password put this in the name field: sharename\name
  So if the share is called "WWW" and your login name is "Bob" you'd put "www\Bob" in the name field and then normal password in the password field.
  Works perfectly for us. I cant remember when it started 10.7 or 10.8 but this was the only solution. Hope it helps someone else!

• Access Based Enumeration not working Windows 2012 R2 Datacenter

  I am having a hard time figuring out why Access Based Enumeration is not working for me.  I have set and re-set the settings and I'm still able to see folders I should not. I do get denied access on folders I don't have access to. 
  I have checked effective access which say everything is denied to me but I can still see the folder(s) listed. 
  I have the share permissions set to authenticated Users - Full Control
  I have the NTFS permissions set to the correct Dept. Groups. - Modify, and Domain Admins - Full Control and Guests - Deny Full Control
  Any idea's?
  --------Update--------
  I believe I had found the issue.  It was a rights issue with a group that added to the local admins group.

  Hi,
  It seems that you have resolve the issue.
  Please feel free to let us know if you need further assistance.
  Best Regards,
  Mandy
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Access Based Enumeration on CAD /Design Files 2008 R2

  Hi,
  I'm currently having some issues with our Windows Server 2008 R2 File Cluster, where the System Process is chugging along @ 80-95% CPU, which I personally find strange. After 2-3 hours of this type of resource utilization, we experience a failover to our
  passive node. After a few hours of user connectivity and build it the same thing happens again.
  Using ProcessExplorer I have been able to identify the srv2.sys driver having massive amounts of threads being created, with several running at 10-15% + CPU utilization per thread. srv2.sys driver is for SMBv2 Connectivity from my research and troubleshooting
  of these issues.
  I have had a ticket opened with MS Premier Support and I have completed installing all of the latest srv2.sys file updates to the latest version for 2008 R2, but we still seem to be having the issues, although it is intermittently. One of these fixes was in
  relation to enabling Access Based Enumeration to a certain level within your File System/Structure (http://support.microsoft.com/kb/2732618/en-us)
  Other hotfix installed is
  http://support.microsoft.com/kb/2831154/en-us
  We have users who run multiple image and CAD applications (Adobe InDesign, AutoCAD, MicroStation, Revit etc) across our network drives, as well as what I would call "standard" File Server access (word docs, spreadsheets, PDF's, powerpoint presentations
  etc).
  We have ABE enabled across all volumes.
  At the moment, I am praying for the server to again reach 100% CPU capacity due to the System Process using these resources.
  What I was wanting to ask is, are there any known issues with using Access Based enumeration of Drives for users/applications that use these InDesign/AutoCAD like applications?
  The reason I ask this is that when we experience this issue I notice more activity on our volumes that host these CAD/Design files, compared to when we experience a period of stability on the system.
  I have read on a few articles regarding Microstation that if it is a specific version, that you should disable SMBv2 via registry to revert to SMBv1 for better use/stability. I am going down the path of disabling SMB2 for all users who use these CAD applications
  to see if this assists in resolving the issue, but I'm trying to explore all  other options/potential issues to better configure our File Cluster
  Looking for guidance on troubleshooting this issue further.
  Thanks in advance.

  Hi,
  After the hotfix is installed, did you create a new registry entry? If not, please following the steps below to create a new registry entry:
  1. Open Registry Editor. To do this, click Start, type regedit in the Start Search box, and then press Enter. 
  2. Locate and then click the following registry subkey: 
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\
  3. On the Edit menu, point to New, and then click DWORD (32 bit) Value. 
  4. Type ABELevel, and then press Enter. 
  5. On the Edit menu, click Modify. 
  6. In the Value data box, type a number according to the level that ABE is enabled on the shared folder, and then click OK. 
  7. Exit Registry Editor.
  Note: The ABELevel value specifies the maximum level of the folders on which the ABE feature is enabled. For example if you enable ABE on \\Server\share, you must set the ABELevel value to 1. If you enable ABE on \\Server\share\share, you must set the ABELevel
  value to 2. If the ABELevel value is not set or has value of 0, then this hotfix is not enabled.
  The value of the above mentioned key is set as follows: 
  Value = 0: ABE is enabled for all levels (default behavior without key as well) 
  Value = 1: ABE enabled for depth of 1 (\server\share) 
  Value = 2: ABE enabled for depth of 2 (\server\share\folder) 
  And so on for multiple levels. 
  Please configure this registry key with the value that’s most suitable for your environment.
  Regards,
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• ABE Access based enumeration not working

  Hello there,
  we have a brand new Windows 2012 R2 file server with one share \\server\share1, ABE enabled on this share.
  Read access for all Domain users on share.
  This share has 2 subfolders, folder1 and folder2.
  User Jon has set NTFS read write rights on folder1, but no access rights on folder2 (all set on security tab)
  Now when User Jon connects to this share he still sees both folders, but access denied on folder2.
  Why can he still see folder2 even when ABE is enabled? Also checked effective rights on folder2, no access.
  Thanks in advance

  Hi,
  Please try to recreate the folders to check if it could resovle thie issue. Do you share the subfolder? If so, the subfolder can still been viewed when browsing the server.
  For more detailed information, please refer to the thread below:
  Does Access Based Enumeration work with NTFS permissions?
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/fd9b8e65-f519-4c24-b721-5a1b9d61f13f/does-access-based-enumeration-work-with-ntfs-permissions
  Best Regards,
  Mandy 
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Some folder is empty when enabled access-based enumeration + Deduplication

  Hi Everyone,
  Background:
  Recently we migrated the file server to win2012 r2.  We have enabled dedupication and enabled access-based enumeration. 
  The data stored in D drive vm, so we just connected the D drive to the new 2012 r2 server.  Security rights all the same as before.  
  Problem:
  People reported that they can see their files and folders directly under their client folders, however some of the sub-folders are empty. when we checked from our file server, those sub-folder have files
  inside.  
  We did some test, we tried to disabled access-based enumeration, checked from user shared drive and see the files are visible again inside the folder.
  Has anyone experienced that before and can give me the solution?
  Thanks!!
  MT

  Hi,
  From the symptom it should related to Access Based Enumeration which means it is affected by NTFS permission settings. Please help list the NTFS permission settings on folders and an affect file. 
  Meanwhile you can try to create another share folder with basic NTFS permissions such as:
  Domain Admins: Full Control - This folder, subfolders and files.
  Creator Owner: Full Control - subfolders and files only.
  A testuser group: Modify (on a specific subfolder and its files).
  Everyone - Read - This folder only. 
  Then add the additional permissions which is added on your real shares to the test share one by one to see which one causes the issue. 
  If you have any feedback on our support, please send to [email protected]

• SMB File Share Storage Failover Cluster "path is not valid folder path"

  I am having an issue that I am scratching my head over. So I have setup a 3 node Hyper-V host cluster that I am attempting to use SMB File Share storage for the shared storage medium. I have been trying to migrate a virtual machine from one of the nodes
  local storage into the file share using System Center VMM 2012 R2 with UR5 however I keep getting the message "The specified path is not a valid folder path on node2.domain.com" for the storage that VMM automatically selects for placement of files
  from the migration. However what is odd is to the same file share for storage I can do a new deployment of a virtual machine to the same cluster with the same shares; I can also delete a virtual machine from the share fine; the file share for the virtual machine
  I library I am deploying machines from is the same server as the file shares for the cluster that I am deploying to so maybe that is why that succeeds; if I try to move the recently deployed VM from one file share to another for storage same error comes up.
  The three nodes all reference the same file server, which is just one file server for the storage, and the shares were created in VMM and as such the file share permissions were setup by VMM so they should be sufficient. I have also attempted this with both
  delegation of CIFS and without through AD (trust to specified computers with CIFS, Hyper-V Replica and Microsoft Virtual Console Service via Kerberos only).
  I am stumped as to what to check next or how to get this working and would appreciate any guidance anyone can give towards a resolution for this problem.

  Jeff,
  Thanks for reporting this.
  There's an known issue with UR5 that VMM gives wrong error when deploying a HAVM onto a SMB share. In that situation, VMM complains "Invalid folder path".
  To confirm you are hitting the same issue, would you kindly let me know:
  1. Are you trying to migrate a HighlyAvailable VM onto the SMB share?
  2. On UI of "Migrate Storage Wizard", if you click "Browse", do you see the target file share showing up in "Select Destination Folder" dialog?
  3. By "the three nodes all reference the same file server", I assume you added the target file share onto the list of File Share Storage thru the cluster's properties UI. If so, please go to the UI and check whether the access status shows
  green there.
  4. By "local storage", do you mean "local disk"? Or a shared LUN from any array? I assume it's not "available storage" or "CSV" of the cluster. Please double confirm.
  Note: If we are sure hitting the known issue, I will later re-direct you to a hotfix. But let's make sure it is the issue first.
  Look forward to your reply.

• Problem with access based enumeration

  Hello.
  We still have about 500 Windows XP SP3 computers in our organization. We have Windows 2008 R2 file cluster with ABE-enabled shares. When we try to access shares from XP computers we have symptoms as described in KB941598 ("Path not found" when
  user has no permissions on the upper folders and he uses dialog window or explorer address bar but not "Run" command from Start menu):
  https://support.microsoft.com/en-us/kb/941598. We have no this problem on Windows 7 after KB2821343 installing in 2013.
  We can't install KB941598 hotfix because SP3 already installed. Shell32.dll version is 6.00.2900.6242, XPSP3res.dll version is 5.1.2600.5512.

  Hi,
  Do you try to install the KB941598 hotfix? It seems that the hotfix is included in Windows XP Service Pack 3. Please see:
  List of fixes that are included in Windows XP Service Pack 3
  https://support.microsoft.com/en-us/kb/946480
  Best Regards,
  Mandy
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Error attempting to enable ABE (Access Based Enumeration)

  Hello,
  While attempting to enable ABE, I am getting an inconspicuous error:
  The error is not clearly defined and there are no event logging corresponding to this issue. So I am bit perplexed to comprehend what exactly 'Expression evaluated to false' means? Any assistance on this matter would be greatly appreciated.
  Regards,
  Horace
  Update: Additionally, I am not able to apply any settings through the dialog, this appears to be a bug?

  Hi,
  1. Same error regardless the account. (With administrator rights)
  2. No GPO polices were applied at the time of that error. Further more, GPO policies that are currently applied after the fact pertain to only Roaming Profiles and Folder Redirection.
  3. The server is setup as Role Based: AD, IIS, DHCP, DNS, and File and Storage Services. I don't have another system to install Windows Server 2012R2 to test with.
  4. I am not sure what you mean by test on a shared folder?
  Mean time, this is a fresh install, I will run 'sfc' and 'DISM' for verification purposes.
  Yes, I would consider this as a bug (In terms of the 'error message'). The error resembles a programing issue. Is there a place to report bugs?
  Update: I installed Remote Administration Tools for Windows 8.1 on a client computer. Error still persists.
  Regards,
  Horace

• Can not get access files from Windows 7 to Claims-based file authorization share

  We have AD level 2012R2, DCs running 2012R2 of course, and we have clustered File Server (3 FSNodes running 2012R2).
  We enabled 2 policies 
  KDC Support for claim
  Kerberos support for claim
  We created 1 claim type in ADAC (For example "Division" Source Property). Filled this property to all IT AD Accounts by our value "IT"
  On FS made a share folder ITDivision:
  - set permissions  Domain Users can Modify if User.Division equals "IT"
  so on Windows 8 IT Users can access files on this share and on Windows 7 they cant
  =\ . We know from many presentations about Dynamic Access Control that File Server must enroll user claims if client do not support this claims (Service-for-User-To-Self)

  Hi,
  >>so on Windows 8 IT Users can access files on this share and on Windows 7 they cant
  =\ . We know from many presentations about Dynamic Access Control that File Server must enroll user claims if client do not support this claims (Service-for-User-To-Self)
  How is it going? Was there any error message? As far as I know, Dynamic Access Control (DAC) should work for downlevel clients. It’s backwards compatible. As Florain explains in the following blog:
  For non-Windows 8 and non-Windows Server 2012 boxes accessing DAC-protected file shares, the users do not carry any claims. For them, the Server 2012-based file share will query Active Directory and proxy the claims request to figure out what claims
  the user and machine bring. The file server checks in the name of the user, whether they should have claims. With that information, the file server evaluates the access to the file share. So yeah – DAC works for downlevel clients, too. It’s backwards compatible.
  And totally transparent to Windows 7.
  Questions regarding Dynamic Access Control (FAQ)
  http://www.frickelsoft.net/blog/?p=293
  In addition, regarding dynamic access control, the following blog can also be referred to for more information.
  Dynamic Access Control in Windows Server 2012
  http://www.infoq.com/news/2012/10/Dynamic-Access-Control
  Please Note: Since the above two website are not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  Best regards,
  Frank Shen

• Powershell web access limited to PowerShell 1.0?

  Hello,
  I setup PowerShell Web Access and it seems to be limited to PowerShell 1.0. I deployed module designed for PowerShell 2.0 and I'm getting error below when trying to import it. Is it expected?
  Windows PowerShell
  Copyright (C) 2013 Microsoft Corporation. All rights reserved.
  PS C:\Users\g\Documents>
  Import-Module AAWebAdministration
  Import-Module : The current Windows PowerShell host is: 'ServerRemoteHost' (version 1.0.0.0). The module
  'C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AAWebAdministration\AAWebAdministration.psd1' requires a
  minimum Windows PowerShell host version of '2.0' to run.
  + CategoryInfo : ResourceUnavailable: (C:\Windows\syst...nistration.psd1:String) [Import-Module], Invalid
  OperationException
  + FullyQualifiedErrorId : Modules_InsufficientPowerShellHostVersion,Microsoft.PowerShell.Commands.ImportModuleComm
  and
  PS C:\Users\g\Documents>

  That is just for the ServerRemoteHost version, which doesn't mean that the actual PowerShell version is 1.0. It sounds like the module metadata is incorrect and should be adjusted.
  You can go and edit the .psd1 file that is being referenced and set the powershellversion key to 2.0 and set the powershellhostversion to ''.
  This should clear up that issue.
  Boe Prox
  Blog |
  Twitter
  PoshWSUS |
  PoshPAIG | PoshChat |
  PoshEventUI
  PowerShell Deep Dives Book

• Calculate Set membership based on Group Membership

  I know this has been asked before, but I haven't really found a clear answer to the problem - so here's me re-igniting the fire!
  I want to calculate set membership based on group membership? So, I have a set called "My Set" - its members should be all the members of the group "My Group" (The group is a Manual group, not a criteria based one). I know that Sets cannot
  refer to Groups when using "Resource ID" - bummer!
  I guess this can be done using a custom action WF which triggers whenever a member is added to the Group and goes and it goes and updates the Set with the ExplicitMember reference, but I'm wondering if there's a more elegant solution using some OOTB activities?
  Thanks

  I've done this using a custom WF, but still curious to see if there is some other way around it.
  For those interested, the custom workflow gets the member being added from the request, and adds it to the set - fairly simple really. I'm using the FIM PowerShell WF activity for this, in conjunction with the fantastic FIM PowerShell Module

• Set the Permission on existing share.

  net share Testfolder="D:\Program Files\Testfolder" /grant:Administrators`,Full /grant:$kozos`,Read /grant:$kozos`,Change
  When i execute the above command, it creates the new share and set the permissions on the share. But if a share already exists, the command doesn't set the permissions.
  How do i use net share to set the permissions on the existing share?

  Hi,
  This isn't really a PowerShell question.
  I guess you could just delete the existing share and create it all over again.
  Still though - share permissions should always be Everyone - Full Control anyway. Permissions should be handled via NTFS, not shares.
  EDIT: If you really have to, try this:
  http://gallery.technet.microsoft.com/scriptcenter/PowerShellAccessControl-d3be7b83
  Don't retire TechNet! -
  (Don't give up yet - 12,950+ strong and growing)
  Hey Mike,
  This is what i do :-
  Right click on folder, click sharing, then advanced sharing, permissions and set the permissions. If I handle via NTFS, will it put the permission on the share?

• Setting Access Control in Airport Utility

  Hello everyone,
  I'm hoping that someone can confirm that setting access control to Local in the Airport Utility, and specifying computer addresses, is an optional layer of security over and above a network and base station password. In other words, if I leave access control set to Not Enabled, will I still have password protection for my wireless network?
  Regards,
  Gregory

  Thanks for reply, but I'm afraid I don't understand, and I apologize for my inexperience. What do you mean when you say that I should be more concerned that both access control and other security +should not+ be done? And by "... check on its either one or the other," did you mean check whether it's one or the other?
  In any case, page 58 of the Designing Apple Networks manual doesn't say anything about local access control that the one-line description under the Access Control tab in the Airport Utility doesn't already say, namely, that access can be restricted to particular computers. Well, that's clearly a good thing as long as you don't have visitors or collaborators frequently dropping by who need access to your network. I think it's reasonable to assume that network and base station password protection operate independently of access control based on Apple IDs.