How to configure Delegate Administration permissions for DFS in Windows Server 2003 and in Windows 2000 (258992)

MORE INFORMATION

When you delegate to users the ability to create DFS shares, the configuration of the DFS dictates how delegation must occur. When you configure a stand-alone DFS server, the delegation process involves adding the user who is delegated to the local Administrators group on the DFS server. When you configure a domain DFS, the user who is delegated must be added to the local Administrators group on each of the Root DFS server replicas. If the DFS root is on a domain controller, the user must be added to the Domain Admins group; otherwise, the user will receive an "access denied" error message.

For both stand-alone and domain DFS servers, the delegate user must also have Full Control permissions to the DFS-Configuration container in Active Directory. When you grant permissions to the DFS-Configuration container, the user also gains permissions to create new DFS namespaces, and administer existing ones.

Note When you configure delegation parts of the DFS namespace, such as adding Links or Replicas, cannot be separately delegated.

To grant a user permissions to the DFS-Configuration object, follow these steps:

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. On the View menu, click to select the Advanced Features check box.
3. In the left pane, double-click System.
4. In the right pane, right-click DFS-Configuration, and then click Properties.
5. Click Security, and then click Add.
6. In the list of users, click the users who you want to delegate, and then click Add.
7. Click OK.
8. In the Permissions pane, click Allow, and then click Full Control to allow full control permission.
9. Click OK.

Delegate permissions can be limited to administering an individual DFS namespace that exists, by granting rights on the individual DFS namespace object that is contained in the DFS-Configuration container.

To grant a user permission to a single DFS namespace, follow these steps:

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. On the View menu, click to select the Advanced Features check box.
3. In the left pane, double-click System.
4. In the right pane, double-click DFS-Configuration.
5. In the right pane, right-click the DFS namespace that you want to delegate, and then click Properties.
6. Click Security, and then click Add.
7. In the list of users, click the users who you want to delegate, and then click Add.
8. Click OK.
9. In the Permissions pane, click Allow, and then click Full Control to allow full control permission.
10. Click OK.

Note When you delegate permissions to the DFS-Configuration object, only give Full Control permissions to the users who require delegate access. Microsoft does not recommend that you grant Full Control permissions to the DFS-Configuration object.

Additional steps for Windows Server 2003

After you give a user Local admin rights on all members of the replica set and Full Control on the DFS-Configuration container, you must delegate the right to configure replication. To do so, follow these steps:

1. Give the user Full Control on each computer object in the Active Directory Users and Computers snap-in that is a member of the replica set. Use the advanced settings to make sure that the user has Full Control over This object and all child objects and not just the default This object only.
2. Give the user Read and Create All Child Objects rights on: DomainName\System\File Replication Service\DFS Volumes\RootName.
   
   Note If the RootName folder or the DFS Volumes folder does not exist yet, the Create Child Object right must be on the parent container to the object that has not been created. The DFS Volumes container will be created when the first DFS-based replica set is created in that domain. The RootName container will be created when the first replica set is created on the specific DFS root.