Delegating permissions to run Dfsrdiag
Where I work, we have regional IT support personal to provide “touch labor”. They also run their own file share server that has DFSR setup back to the corporate headquarters. While troubleshooting an issue with one of the local IT support techs, I was having her run some DFSRDIAG commands but she was getting an error.
Looking up this error, you will find that this is a permissions issue. To set the permissions needed to run the DFS queries follow the directions below.
1. Add the user account or group to the “Distributed COM Users” local group on each machine
2. The group or user added above now needs to have permissions access and run the WMI for DFS.
a. a. Open Wmimgmt.msc.
b. b. Right-click WMI Control then click Properties.
c. c. On the Security tab, expand down to Root\MicrosoftDfs
d. d. Click the Security button
e. In the Security Window click Add
f. Add the account from above and set the permissions to Allow: Execute Methods, Provider Write, Enable Account, and Remote Enable.
3. Using the DFS Management snap-in, delegate permission to manage the desired replication group to domain\username
5. Wait for the new delegated permissions to be replicated to other members via Active Directory replication. The amount of time this takes depends on Active Directory replication latency as well as the polling interval.
SuperG
Write a comment
You need to login to post comments!