Permissions are not correctly inherited in a DFS topology on Windows 2000 Server and Windows Server 2003


Symptoms


When you use Windows Explorer to modify the folder permissions on a Distributed File System (DFS) topology, the permissions may be inherited from the DFS structure instead of from the target NTFS file system folder. For example, when you access the \\DomainName\DFSRoot structure directly, and you modify the folder permissions under that DFS root, the permissions may not be applied as you expect.

Cause


When you set permissions on files or folders by using the DFS link path (virtual location) instead of the DFS target path (actual location), inheritance for security descriptors is applied based on the DFS link parent path instead of the DFS target parent path. This behavior is by design.

Resolution


To resolve this behavior, use the path of the physical folder to set permissions. For example, use the following path:
\\ServerName\ShareName
In this path, ServerName is a placeholder for the name of the server, and
ShareName is a placeholder for the name of the target share in the DFS structure.

Important Do not use the DFS path to set permissions on a folder. When you use the DFS path to set permissions on a folder, the folder may inherit permissions from the parent folder in the DFS topology.

References


For more information about DFS, click the following article number to view the article in the Microsoft Knowledge Base:

812487 Overview of DFS in Windows 2000

For more information about how to set permissions on DFS structures, visit the following Microsoft Web site: