Access-based Enumeration

Applies To: Windows Server 2003 with SP1

Access-based Enumeration is a new feature included with Windows Server 2003 Service Pack 1. This feature allows users of Windows Server 2003–based file servers to list only the files and folders to which they have access when browsing content on the file server. This eliminates user confusion that can be caused when users connect to a file server and encounter a large number of files and folders that they cannot access.

What does Access-based Enumeration do?

Access-based Enumeration filters the list of available files and folders on a server to include only those that the requesting user has access to.

Who does this feature apply to?

This feature applies to:

  • Domain-joined computers.

  • IT professionals who want to control the user’s experience.

Detailed description

Access-based Enumeration allows users to see only files and folders that they have access to on a file server. This feature is not enabled by default.

To enable this feature, a property must be set on a file share to allow access-based enumeration. To enable this feature on your server, you can download a shell extension that provides both a graphical user interface for enabling access-based enumeration and a command-line interface for managing this feature. When this download is installed, a wizard will run that can automatically enable Access-based Enumeration on the shared folders on your computer. This download includes a whitepaper that provides further details about the shell extension, command line interface, and the NetShareSetInfo application programming interface (API). This download is available on the Microsoft Download Center at https://go.microsoft.com/fwlink/?LinkId=46228.

If you want to develop a tool yourself, you can use the NetShareSetInfo API. This property is an attribute of the NetShareSetInfo (API). For more information about the NetShareSetInfo API, see the Platform SDK and the MSDN Web site at https://go.microsoft.com/fwlink/?LinkId=46511. To enable Access-based Enumeration, you need to set a flag that points to the SHARE_INFO_1005 structure. For more information about the SHARE_INFO_1005 structure, see the Platform SDK and the MSDN Web site at https://go.microsoft.com/fwlink/?LinkId=45504.

The new flag to enable Access-based Enumeration is

#define SHI1005_FLAGS_ENFORCE_NAMESPACE_ACCESS  0x0800

This flag is only applicable to Windows Server 2003 Service Pack 1 and will have no effect on other versions of the Windows operating system.

After the feature is enabled, a listing of the content in that share will present the content that the user has access to.

Why is this change important?

This change is important because this allows users to see only those files and directories that they have access to and nothing else. This mitigates the scenario where unauthorized users might otherwise be able to see the contents of a directory even though they don’t have access to it.

What settings are added or changed in Windows Server 2003 Service Pack 1?

The SHI1005_FLAGS_ENFORCE_NAMESPACE_ACCESS flag has been added to the NetShareSetInfo API. The flag enables you to turn on the Access-based Enumeration feature.