Configure Access Based Enumeration on Windows Server 2016

By default, when user open some shared network folder, SMB displays full list of files and folders on it (of course only if user have permission to access share). Access Based Enumeration (ABE) allows you to hide specific files and folders for user who don’t have access permission.

Access Based Enumeration is available on Windows platform since Windows Server 2003 SP1 and helps to prevent users from seeing files and folders.

Access Based Enumeration on Server 2016

By default, the process of accessing to the network folder performed as follows:

  1. The user connects to the server and requests access to the shared folder.
  2. LanmanServer service on the server (responsible for sharing files and folders) checks if the user have NTFS permissions to read/list the folder content. If access is available, the service returns a list of all the files and folders contained in it.
  3. Next user selects a file or folder and tries to open it.
  4. The server checks if the user has the necessary access rights. If a user have necessary permissions, it returned desired item. If user have no rights – an access denied error returns.

According to this algorithm, the server at first returns the user a list of all the folder contents, and checks access rights to individual files and folder only when user tries to access them.

READ ALSO  Converting CRT to PEM Format

Then using ABE, the user will be shown only those resources for which he has the necessary rights: List contents for a folders or Read for individual files.

Some ABE features:

  • ABE controls only list of the contents in a shared folder, but does not hide the list of shared folders from the users. Therefore, when a user connects to the server, he will see all shared folders. If you need to create a hidden share, you can simply add the character $ to its name, for example ShareName$.
  • ABE doesn’t work when user logged locally or by connecting via RDP.
  • Members of the local Administrators group always see the full list of the folder contents.

ABE is enabled for each folder individually. To configure ABE, open Server Manager console and select role File and Storage Services.

Note. To enable Access Based Enumeration, File and Storage Services role must be installed on the server.

access based enumeration server 2016

Then, go to Shares section and choose from list a network folder, for which it is necessary to enable ABE. Right click on it and select its Properties.

access based enumeration server 2019

Then in the properties of the share switch to Settings tab and put the check box on Enable access based enumeration option.

READ ALSO  Install a Self-signed certificate by using Group Policy

enable access based enumeration 2016

Also, you can enable access-based enumeration on a network share using PowerShell cmdlet Set-SmbShare using a simple command:

Set-SmbShare -Name "Share" -FolderEnumerationMode AccessBased

access based enumeration 2016

If you manage public folders settings centrally through Group Policy (Computer Configuration -> Preferences -> Windows Settings -> Network Shares), you can enable ABE in the share properties.

server 2016 access based enumeration

As for example – here is a content of a network folder with the enabled ABE for the server administrator:

access based enumeration windows 2016

And this is how it looks for the average user.

server 2019 access based enumeration

Thus, the ABE technology makes life easier for both Users and Administrators. The redundant information in the network folders are not displayed for User and Administrator no longer has to answer questions about the lack of access.

However, Access Based Enumeration has a small lack – an additional server load. The load depends on the number of users per server and the number of objects in the shares. During heavy load the speed of folder opening may significantly decrease.

Cyril Kardashevsky
Latest posts by Cyril Kardashevsky (see all)
READ ALSO  How to Set Up Static IP Address in Windows 10?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.