We are looking into migrating to DFS Namespaces but ran into an issue.

Is there a way to prevent users from moving the contents of a namespace folder (link) to another namespace folder within the same DFS namespace?
When viewing the namespace (\\domain.local\share\) and the shared folders within, users can move the contents by dragging and droping to a different share.

For example, consider this structure

\\domain.local\Share
-------- Folder1
-------- Folder2
-------- Folder3

Users can drag and drop Folder3 into Folder1. The Folder3 link stays there, but the contents (on which they have NTFS permissions) will be moved inside folder1. 

Accidental drag and drop happens and it can be a disaster on top level folders. 

On our old structure, using simple folder shares, accidental drag and drop has harmful effects. You only create a link inside the destination folder.

Hope someone can help me in finding a solution.

Thanks

• Edited by Vlad Velciu Tuesday, September 01, 2015 3:43 PM

Hi,

I'm afraid we do not have a proper solution for such accident.

We can remove Write permission on root folder so that users will not able to delete/move/rename a root folder. But contents will still be moved if we accidentally drag and drop a root folder into another folder.

It is not recommended to remove Delete permission (which could stop Move but not Copy) on files either. Deny Delete will cause issues on renaming files and it will specifically affect Office files from editing.

You will have to train your users from not make such mistake on dragging folders. 

Thank you for your answer.

It's unfortunate that DFS-N folders react in this way. As I mentioned, the drag and drop operation on simple shares only creates links and does not move or copy folder contents.

Why MS chose to go this way is beyond my understanding. Accidents happen and while you can train to reduce the situations, you cannot avoid them altogether. That is why we have permissions.

A solution is to set the share advanced permissions to Read and Change then set the NTFS permissions to the top folder as follows (A):

Traverse Folder

List Folder

Read Attributes

Read Extended Attributes

Read Permissions

Then, on the subfolders you can grant the following NTFS permissions (B):

Traverse Folder

List Folder

Read Attributes

Read Extended Attributes

Create Files

Create Folders

Write Attributes

Write Extended Attributes

Delete subfolders and files

Read Permissions

Take this folder structure for example. You have a Sales shared folder. Under it you have a predefined structure composed of a Public and Department folders. On the Sales folder you grant Read and Change for the Share advanced permissions and the NTFS permissions as stated above (A). Then, on the 2 subfolders you grant the above NTFS permissions (B).

Basically, what you get is this: the user has full control (except changing permissions or taking ownership) under Public and Department folders. He cannot delete the Public and Department folder and cannot create additional files or folders on the same level as the two folders.

Thus dragging and dropping is inhibited.

A very important point is the Share permissions mentioned in the beginning. Because of how MS designed this, you have to set these permission to the maximum permissions a user will have through the whole structure under this. If you would have set only Read Share permission for Sales, then, the user will have only this permission in every folder under Sales even if you set granular NTFS permissions to more than Read.

• Edited by Vlad Velciu 39 minutes ago