We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Access Based Enumeration (ABE) and down folder permissions

chealey asked
Medium Priority
Last Modified: 2008-04-15

You have Windows 2003 with SP1 for server01.  It has share1 with Access
Based Enumeration enabled.  You have setup four departments with a
folder per department on the share and members of each department can
see their department's folder and work within that folder.


        \Human Resources
                Access granted to: Theresa and Deb
        \Information Technology
                Access granted to: Jeff and Andy
                Access granted to: Mark
                Access granted to: Kim and Carolyn


The Sales department is working on a new project that will require
Marketing's assistance.  The Sales department has a folder in their
folder named "Projects".


They would like to create a folder named "2006 Campaign" and grant
Mark in Marketing access to use that folder.

\\Server01\Share1\Sales\Projects\2006 Campaign

Ideally you would like it so once they add the permissions the Sales
folder appears to Mark.  Then Mark would be able to open the Sales
folder and only see the Projects folder.  Inside that he would only see
the "2006 Campaign" folder.  Can and how would this be achieved?

I have discovered a partial solution.  If at the top level (either
share or each folder under the share) you add the "Everybody" or
"Domain Users" group and grant the "List Folder Contents"
option and then force that down it almost works.  The users are then
able to see the files that they were granted access to.  The problem is
they see all folders and the tree structure.  In the scenario above
they would see every folder in every directory, whether they have
access to a file in that folder or not.  I would like to "hide"
anything they have not been granted access to.  So until Kim granted
Mark access to the "2006 Campaign" folder he would not have even
seen the Sales folder.  Additionally, once she removed his access, the
Sales folder would disappear.

With Access Based Enumeration I would imagine this would be possible
Watch Question

What you said in that last paragraph is just how it works (at least in my explorations).

ABE is basically like Novell's "List Folders/Files" rights.  If you don't have that right, you don't see the folder.

I understand what you are trying to accomplish, but it simply doesn't work that way, that I can figure out.

You'd probably have to just create a share at the root level for them, or you might be able to try something like a shortcut in the Marketing folder that points to the full UNC path of \\Server01\Share1\Sales\Projects\2006 Campaign.  That might get them there.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
You can assign the Marketing group READ-ONLY rights on the Sales root folder, but before applying go to the Advanced button and select "This folder only" from the drop down list.

Repeat that for the Projects folder.

The marketing group will now only see the folders they need access to, ABE restricts them from viewing the other folders in the Sales folder.

Albeit not automatically, this will do what you want. Not as nice as Novell's implementation of it, ABE still needs some work.


Let me try to clear things up a bit . . . The problem is that we are just trying to do one share - one entry point for all possible folders that are below that point that a user would be assigned access. We do not what to manage many shares or root mappings as there would be nearly and infinte amount of combinations.

In NetWare let's say that there was a Departmental Share folder on Vol1 - this is where we would map root the S: drive to. In that folder we would have our departments listed as folders and have like named groups assigned to have access to those folders. Now a memebr of the Sales group opens thier S: Drive and only sees the Sales folder. Should that person later be given access to a file in Marketing - let say it is a few levels down - vol1\Departmental Share\marketing\2006\april\new widget\bigshow.ppt. Now when he opens the S: Drive he will now see the Marketing folder but not HR or any other folders, inside of that he will see the 2006 Folder but not 2005 or other files and folders, and inside of that he will see only April and so on.

That same scenario above now with Microsoft and Access Based Enumeration the user would see all the departmental folders and when he opens the Marketing folder he will see the entire folder structure of Marketing but no files nor will he have access to the folders i.e. 2005, 2004, clients, etc. When he opens S:\marketing\2006\ he will see January, February, and March and if he was to try to open those he would be denied access. Any files that would be there are still hidden but then when he opens April's folder he will see all folders there such as small widget, big widget, old widget, etc. NetWare would only show you what you need to see to get to the objects that you have access to with nothing needed done access-wise to parent folders - a reverse inheritance if you will.

To get here we had to add List Folder Contents to the Everyone object (actually we left that and removed the Read & Read and Execute Permissions) - otherwise the default would also show files but would deny access. If we remove the everyone object then the user would not see anything unless they were explicitly given access to the department folder even though they were assigend full acces to a folder below (say the new widget folder in the NetWare example) - there does not seem to be that 'reverse inhertance' logic with Access Based Enumeration - or I am thinking too NetWare-like still?

We are quite large and expect that there are going to be MANY files and folders but would like to limit the scope of what is seen to the people outside the department. It is good that it is secure but to some it would be overwelmingly confusing to see that many objects.

Agreed, complex folder structures can be a PITA.

Access-based enumeration is (unfortunately) strictly about showing what you have access to - it still doesn't solve the reverse inheritance issue.

Guess that won't be until NTFS version 6 or whatever Microsoft's cooking up.
It took them... uh... 8 years since NTFS4 to build something like ABE. Novell's had this feature since the dawn of mankind.
Novell's had this feature because of a distributed directory across the servers.  It was too "hardware intensive" to get it to work in Windows land before because of the fact that Windows uses centralized domain controllers.
Thanks for the points!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.