This documentation is archived and is not being maintained.
Utility Spotlight Access-Based Enumeration
James D. Silliman, a Senior Systems Engineer at DirectApps, specializes in terminal servers deployments. DirectApps architects .NET solutions for small to medium businesses, and is an Application Service Provider. He holds an MA from Colorado University. All he really needs to know about PCs he learned from Erector sets. You can reach him at firstname.lastname@example.org.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.
James D. Silliman
As a systems administrator, you've probably had users complain that they can't access certain folders they see in Windows® Explorer. The cause is often simple: the user doesn't have permission to open those resources. That's probably as it should be, but the result is often a frustrated user.
This is a problem that shouldn't exist—you should be able to hide shares the user doesn't have permission to access. Since the release of an add-in called Access-Based Enumeration (ABE) for Windows Server® 2003 (SP1), you can do just that.
ABE also provides better security by preventing users from navigating folders that might contain confidential information and provides increased productivity by directing users to the information they need and filtering out what's irrelevant. Plus you'll receive fewer support calls when users can't try to access files for which they don't have permissions.
How ABE Works
How does ABE perform its magic? Every file share has flags that control its visibility. Windows Server 2003 SP1 includes a new flag called ENFORCE_NAMESPACE_ACCESS, located within the SHARE_INFO_1005 flag. When the flag is set, users see files and folders under a share only if they have proper NTFS rights. (By the way, this process is completely independent of and different from the Hidden File attribute.)
The installation of ABE is straightforward. After downloading and launching the ABEUI.msi file on the target machine running Windows Server 2003 SP1, you'll be presented with a dialog that lets you choose to enable Windows Server 2003 Access-based Enumeration either on all existing shared folders on this computer or manually on individual shared folders. Enabling ABE on individual shared folders is the default during installation. If you choose the default route you'll have to access the server console and enable individual shares one by one. To do so, after the installation completes, navigate to the server shares where filtering is desired. You'll notice a new tab has been added to the properties dialog of a shared folder in Windows Explorer (see Figure 1). You can choose the global or individual ABE setting here and it will be applied to the folder in question.
Figure 1 Choosing ABE Settings
It would be a good idea to test the server-wide, global setting in a lab environment first, or after hours. At a minimum, make sure all your data is backed up before you start. However, enabling ABE on one network share is really simple.
If you want to enable ABE through Group Policy so you can manage it globally on many servers at once, there are a number of third-party extensions that enable this functionality.
There are three different versions of ABE, for the x86, x64, and ia64 platforms. You can choose either a graphical or command-line interface, plus there is a Windows API for customizing it further. Downloads for all versions of ABE are available at the Microsoft® Download URL that I mentioned earlier. For detailed information on ABE, read abewhitepaper.doc, which is included with the download.