When you delegate to users the ability to create DFS shares, the configuration of the DFS dictates how delegation must occur. When you configure a stand-alone DFS server, the delegation process involves adding the user who is delegated to the local Administrators group on the DFS server. When you configure a domain DFS, the user who is delegated must be added to the local Administrators group on each of the Root DFS server replicas. If the DFS root is on a domain controller, the user must be added to the Domain Admins group; otherwise, the user will receive an "access denied" error message.
For both stand-alone and domain DFS servers, the delegate user must also have Full Control permissions to the DFS-Configuration container in Active Directory. When you grant permissions to the DFS-Configuration container, the user also gains permissions to create new DFS namespaces, and administer existing ones.
Note When you configure delegation parts of the DFS namespace, such as adding Links or Replicas, cannot be separately delegated.
To grant a user permissions to the DFS-Configuration object, follow these steps:
- Click Start, point to
Programs, point to Administrative Tools, and then click
Active Directory Users and Computers. - On the View menu, click to select the
Advanced Features check box. - In the left pane, double-click
System. - In the right pane, right-click
DFS-Configuration, and then click
Properties. - Click Security, and then click
Add. - In the list of users, click the users who you want to delegate, and then click Add.
- Click OK.
- In the Permissions pane, click
Allow, and then click Full Control to allow full control permission. - Click OK.
Delegate permissions can be limited to administering an individual DFS namespace that exists, by granting rights on the individual DFS namespace object that is contained in the DFS-Configuration container.
To grant a user permission to a single DFS namespace, follow these steps:
- Click Start, point to
Programs, point to Administrative Tools, and then click Active Directory Users and Computers. - On the View menu, click to select the
Advanced Features check box. - In the left pane, double-click
System. - In the right pane, double-click
DFS-Configuration. - In the right pane, right-click the DFS namespace that you want to delegate, and then click Properties.
- Click Security, and then click
Add. - In the list of users, click the users who you want to delegate, and then click Add.
- Click OK.
- In the Permissions pane, click
Allow, and then click Full Control to allow full control permission. - Click OK.
Note When you delegate permissions to the DFS-Configuration object, only give Full Control permissions to the users who require delegate access. Microsoft does not recommend that you grant Full Control permissions to the DFS-Configuration object.
Additional steps for Windows Server 2003
After you give a user Local admin rights on all members of the replica set and Full Control on the DFS-Configuration container, you must delegate the right to configure replication. To do so, follow these steps:
- Give the user Full Control on each computer object in the Active Directory Users and Computers snap-in that is a member of the replica set. Use the advanced settings to make sure that the user has Full Control over This object and all child objects and not just the default This object only.
- Give the user Read and Create All Child Objects rights on: DomainName\System\File Replication Service\DFS Volumes\RootName.
Note If the RootName folder or the DFS Volumes folder does not exist yet, the Create Child Object right must be on the parent container to the object that has not been created. The DFS Volumes container will be created when the first DFS-based replica set is created in that domain. The RootName container will be created when the first replica set is created on the specific DFS root.