Access Based Enumeration (ABE) and down folder permissions


You have Windows 2003 with SP1 for server01.  It has share1 with Access
Based Enumeration enabled.  You have setup four departments with a
folder per department on the share and members of each department can
see their department's folder and work within that folder.


        \Human Resources
                Access granted to: Theresa and Deb
        \Information Technology
                Access granted to: Jeff and Andy
                Access granted to: Mark
                Access granted to: Kim and Carolyn


The Sales department is working on a new project that will require
Marketing's assistance.  The Sales department has a folder in their
folder named "Projects".


They would like to create a folder named "2006 Campaign" and grant
Mark in Marketing access to use that folder.

\\Server01\Share1\Sales\Projects\2006 Campaign

Ideally you would like it so once they add the permissions the Sales
folder appears to Mark.  Then Mark would be able to open the Sales
folder and only see the Projects folder.  Inside that he would only see
the "2006 Campaign" folder.  Can and how would this be achieved?

I have discovered a partial solution.  If at the top level (either
share or each folder under the share) you add the "Everybody" or
"Domain Users" group and grant the "List Folder Contents"
option and then force that down it almost works.  The users are then
able to see the files that they were granted access to.  The problem is
they see all folders and the tree structure.  In the scenario above
they would see every folder in every directory, whether they have
access to a file in that folder or not.  I would like to "hide"
anything they have not been granted access to.  So until Kim granted
Mark access to the "2006 Campaign" folder he would not have even
seen the Sales folder.  Additionally, once she removed his access, the
Sales folder would disappear.

With Access Based Enumeration I would imagine this would be possible
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What you said in that last paragraph is just how it works (at least in my explorations).

ABE is basically like Novell's "List Folders/Files" rights.  If you don't have that right, you don't see the folder.

I understand what you are trying to accomplish, but it simply doesn't work that way, that I can figure out.

You'd probably have to just create a share at the root level for them, or you might be able to try something like a shortcut in the Marketing folder that points to the full UNC path of \\Server01\Share1\Sales\Projects\2006 Campaign.  That might get them there.
You can assign the Marketing group READ-ONLY rights on the Sales root folder, but before applying go to the Advanced button and select "This folder only" from the drop down list.

Repeat that for the Projects folder.

The marketing group will now only see the folders they need access to, ABE restricts them from viewing the other folders in the Sales folder.

Albeit not automatically, this will do what you want. Not as nice as Novell's implementation of it, ABE still needs some work.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
chealeyAuthor Commented:
Let me try to clear things up a bit . . . The problem is that we are just trying to do one share - one entry point for all possible folders that are below that point that a user would be assigned access. We do not what to manage many shares or root mappings as there would be nearly and infinte amount of combinations.

In NetWare let's say that there was a Departmental Share folder on Vol1 - this is where we would map root the S: drive to. In that folder we would have our departments listed as folders and have like named groups assigned to have access to those folders. Now a memebr of the Sales group opens thier S: Drive and only sees the Sales folder. Should that person later be given access to a file in Marketing - let say it is a few levels down - vol1\Departmental Share\marketing\2006\april\new widget\bigshow.ppt. Now when he opens the S: Drive he will now see the Marketing folder but not HR or any other folders, inside of that he will see the 2006 Folder but not 2005 or other files and folders, and inside of that he will see only April and so on.

That same scenario above now with Microsoft and Access Based Enumeration the user would see all the departmental folders and when he opens the Marketing folder he will see the entire folder structure of Marketing but no files nor will he have access to the folders i.e. 2005, 2004, clients, etc. When he opens S:\marketing\2006\ he will see January, February, and March and if he was to try to open those he would be denied access. Any files that would be there are still hidden but then when he opens April's folder he will see all folders there such as small widget, big widget, old widget, etc. NetWare would only show you what you need to see to get to the objects that you have access to with nothing needed done access-wise to parent folders - a reverse inheritance if you will.

To get here we had to add List Folder Contents to the Everyone object (actually we left that and removed the Read & Read and Execute Permissions) - otherwise the default would also show files but would deny access. If we remove the everyone object then the user would not see anything unless they were explicitly given access to the department folder even though they were assigend full acces to a folder below (say the new widget folder in the NetWare example) - there does not seem to be that 'reverse inhertance' logic with Access Based Enumeration - or I am thinking too NetWare-like still?

We are quite large and expect that there are going to be MANY files and folders but would like to limit the scope of what is seen to the people outside the department. It is good that it is secure but to some it would be overwelmingly confusing to see that many objects.
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Agreed, complex folder structures can be a PITA.

Access-based enumeration is (unfortunately) strictly about showing what you have access to - it still doesn't solve the reverse inheritance issue.

Guess that won't be until NTFS version 6 or whatever Microsoft's cooking up.
It took them... uh... 8 years since NTFS4 to build something like ABE. Novell's had this feature since the dawn of mankind.
Novell's had this feature because of a distributed directory across the servers.  It was too "hardware intensive" to get it to work in Windows land before because of the fact that Windows uses centralized domain controllers.
Thanks for the points!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.