JSI Tip 6319. How do I delegate the ability to create DFS shares on a Windows 2000 server?

If you want to delegate DFS rights on a standalone DFS server, you must add the user to the local Administrators group on that DFS server.

If you want to delegate DFS rights in a domain, you must also add the user to the local Administrators group on each of the Root DFS server replicas.

For all delegation, the user must have Full Control permissions on the DFS-Configuration container in Active Directory, which grants the user the right to create new DFS namespaces and to administer existing namespaces.

NOTE: You can limit the permission to individual DFS namespaces by grant the right to the individual objects in the DFS-Configuration container, instead of to the entire DFS-Configuration container.

To grant a user permission on the DFS-Configuration object:

1. Open the Active Directory Users and Computers snap-in.

2. use the View menu to select Advanced Features.

3. Double-click System in the left-hand pane.

4. Right-click DFS-Configuration in the right-hand pane and press Properties, or expand the DFS-Configuration container, right-click a specific namespace and press Properties.

5. Select the Security tab and press Add.

6. Select the user you want to delegate and press Add.

7. Press OK.

8. Check the Allow column for the Full Control permission and press Apply and OK.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.