In an Active Directory environment, Dynamic File Services configures a special domain group and user in order to support the use of remote shares in a pair.
When you install the Service component on a domain controller or member server in an Active Directory environment, the installation sets up the following security features:
Creates a domain user called NDFS-servername.
Creates a domain group called Dynamic File Services Storage Rights.
Adds the NDFS-servername user to the Dynamic File Services Storage Rights group.
Gives the NDFS-servername user the right.
Sets up the Dynamic File Service to log on as the NDFS-<servername> user.
Makes the Dynamic File Services Storage Rights group a Member of the Domain Admins group.
This setup requires that the installation is done by a domain user that has local Administrator privileges and Domain Administrator rights.
The Dynamic File Services Storage Rights group is an Active Directory domain group that is used to allow Dynamic File Services to manage traffic between the Service running on the server and the remote share. In Active Directory, you must add the group to the primary share and secondary share, and grant it all permissions.
The Dynamic File Services Storage Rights group is created automatically during the installation of the Service component if the computer is a domain controller or a member server in an Active Directory environment. The group scope is and the group type is .
Members of the Dynamic File Services Storage Rights group include the NDFS-servername proxy users for the Dynamic File Services servers in the same Active Directory domain/forest. The members are automatically added to the group when the Service component is installed on a server in the domain.
A server's NDFS-servername proxy user is automatically removed as a member of the Dynamic File Services Storage Rights group if Dynamic File Services is uninstalled from the server. The group is not deleted by the uninstall unless the server’s proxy user is the only member of the group.
The Dynamic File Services Storage Rights group is a member of the Domain Admins group. This gives the group equivalent rights to the Domain Admins group. Alternatives to the default domain configuration are described in Security Implications of the Default Domain Configuration.
The NDFS-servername user is an Active Directory domain user that serves as a proxy user in communications between the Service on a server that is running Dynamic File Services and a remote share that is being used as the secondary path in a pair on that server. The user is created automatically during the installation of the Service component if the computer is a domain controller or a member server in an Active Directory environment.
The NDFS-servername proxy user is automatically added as a member of the Dynamic File Services Storage Rights group in the same domain as the server. The user is given the right. As a group member, this user automatically has the same access rights granted to the group.
The password for the NDFS-servername user is created automatically, and can be modified by using the Active Directory tool for modifying user passwords.
The default configuration gives the Dynamic File Services Storage Rights domain group equivalent rights to the Domain Admins group. In some situations, this can be undesirable. The following describes two options to tighten security:
Remove the Dynamic File Services Storage Rights group from the Domain Admins group, and give only the specific rights needed to the Dynamic File Services Storage Rights group. Then give the group share-level rights or the NTFS security rights to the share used for the primary path and the share used for the secondary path.
Delete the Dynamic File Services Storage Rights group, and add only the specific rights needed directly to the NDFS-servername proxy user. Then give the NDFS-servername user share-level rights or the NTFS security rights to the share used for the primary path and the share used for the secondary path.
Whichever approach you use, ensure that you grant the group or user the same access rights to the primary share and the secondary share.
You can manage domain groups and users by using the Active Directory Users and Computers snap-in the Microsoft Management Console. The specific rights needed are as follows:
Allow log on locally
Restore file and directories
Backup files and directories
Load and unload device drivers
Log on as a service
Manage auditing and security log
Take ownership of files or other objects