Can Security Explorer set security for Distributed File System (DFS)? (4283597)

There is no tool available for management of access control lists (ACLs) through Distributed File System (DFS).

File ACLs are administered at each individual physical share. There is no mechanism to administrate ACLs system-wide from the Dfs root, nor is there an attempt to keep ACLs consistent between alternate volumes. There are several reasons for this:

1. A centrally administrated logical ACL database could be bypassed, as users could Net Use directly to the physical resource.
2. The logical Dfs volume can cross between FAT and NTFS volumes, as well as contain leaves from other network operating systems. There is no reasonable way to set an inherited Deny ACL which starts on an NTFS volume, passes to FAT, passes back to NTFS, and concludes on a NetWare volume.
3. A tool that walks the logical name space, setting ACLs appropriately, would require a complicated message and transactioning engine to ensure that ACLs were queued and updated over loosely connected and/or unreliable networks.
4. Storage quotas available in Windows 2000 require an additional burden of tallying storage for all possible users across all possible volumes to establish when users have exceeded their storage allotment.

Microsoft DFS is a framework for organizing file systems across networks, not all of which may reside on NTFS volumes.

Security Explorer supplants and enhances the native NTFS ACL editor, but permissions are still managed at a physical volume level.