Access Based Enumeration (ABE) and down folder permissions

Posted on 2006-04-03
Medium Priority
Last Modified: 2008-04-15

You have Windows 2003 with SP1 for server01.  It has share1 with Access
Based Enumeration enabled.  You have setup four departments with a
folder per department on the share and members of each department can
see their department's folder and work within that folder.


        \Human Resources
                Access granted to: Theresa and Deb
        \Information Technology
                Access granted to: Jeff and Andy
                Access granted to: Mark
                Access granted to: Kim and Carolyn


The Sales department is working on a new project that will require
Marketing's assistance.  The Sales department has a folder in their
folder named "Projects".


They would like to create a folder named "2006 Campaign" and grant
Mark in Marketing access to use that folder.

\\Server01\Share1\Sales\Projects\2006 Campaign

Ideally you would like it so once they add the permissions the Sales
folder appears to Mark.  Then Mark would be able to open the Sales
folder and only see the Projects folder.  Inside that he would only see
the "2006 Campaign" folder.  Can and how would this be achieved?

I have discovered a partial solution.  If at the top level (either
share or each folder under the share) you add the "Everybody" or
"Domain Users" group and grant the "List Folder Contents"
option and then force that down it almost works.  The users are then
able to see the files that they were granted access to.  The problem is
they see all folders and the tree structure.  In the scenario above
they would see every folder in every directory, whether they have
access to a file in that folder or not.  I would like to "hide"
anything they have not been granted access to.  So until Kim granted
Mark access to the "2006 Campaign" folder he would not have even
seen the Sales folder.  Additionally, once she removed his access, the
Sales folder would disappear.

With Access Based Enumeration I would imagine this would be possible
Question by:chealey
  • 3
  • 2
LVL 23

Assisted Solution

TheCleaner earned 248 total points
ID: 16360842
What you said in that last paragraph is just how it works (at least in my explorations).

ABE is basically like Novell's "List Folders/Files" rights.  If you don't have that right, you don't see the folder.

I understand what you are trying to accomplish, but it simply doesn't work that way, that I can figure out.

You'd probably have to just create a share at the root level for them, or you might be able to try something like a shortcut in the Marketing folder that points to the full UNC path of \\Server01\Share1\Sales\Projects\2006 Campaign.  That might get them there.
LVL 12

Accepted Solution

Rant32 earned 252 total points
ID: 16361150
You can assign the Marketing group READ-ONLY rights on the Sales root folder, but before applying go to the Advanced button and select "This folder only" from the drop down list.

Repeat that for the Projects folder.

The marketing group will now only see the folders they need access to, ABE restricts them from viewing the other folders in the Sales folder.

Albeit not automatically, this will do what you want. Not as nice as Novell's implementation of it, ABE still needs some work.

Author Comment

ID: 16361188
Let me try to clear things up a bit . . . The problem is that we are just trying to do one share - one entry point for all possible folders that are below that point that a user would be assigned access. We do not what to manage many shares or root mappings as there would be nearly and infinte amount of combinations.

In NetWare let's say that there was a Departmental Share folder on Vol1 - this is where we would map root the S: drive to. In that folder we would have our departments listed as folders and have like named groups assigned to have access to those folders. Now a memebr of the Sales group opens thier S: Drive and only sees the Sales folder. Should that person later be given access to a file in Marketing - let say it is a few levels down - vol1\Departmental Share\marketing\2006\april\new widget\bigshow.ppt. Now when he opens the S: Drive he will now see the Marketing folder but not HR or any other folders, inside of that he will see the 2006 Folder but not 2005 or other files and folders, and inside of that he will see only April and so on.

That same scenario above now with Microsoft and Access Based Enumeration the user would see all the departmental folders and when he opens the Marketing folder he will see the entire folder structure of Marketing but no files nor will he have access to the folders i.e. 2005, 2004, clients, etc. When he opens S:\marketing\2006\ he will see January, February, and March and if he was to try to open those he would be denied access. Any files that would be there are still hidden but then when he opens April's folder he will see all folders there such as small widget, big widget, old widget, etc. NetWare would only show you what you need to see to get to the objects that you have access to with nothing needed done access-wise to parent folders - a reverse inheritance if you will.

To get here we had to add List Folder Contents to the Everyone object (actually we left that and removed the Read & Read and Execute Permissions) - otherwise the default would also show files but would deny access. If we remove the everyone object then the user would not see anything unless they were explicitly given access to the department folder even though they were assigend full acces to a folder below (say the new widget folder in the NetWare example) - there does not seem to be that 'reverse inhertance' logic with Access Based Enumeration - or I am thinking too NetWare-like still?

We are quite large and expect that there are going to be MANY files and folders but would like to limit the scope of what is seen to the people outside the department. It is good that it is secure but to some it would be overwelmingly confusing to see that many objects.
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

LVL 12

Expert Comment

ID: 16361408
Agreed, complex folder structures can be a PITA.

Access-based enumeration is (unfortunately) strictly about showing what you have access to - it still doesn't solve the reverse inheritance issue.

Guess that won't be until NTFS version 6 or whatever Microsoft's cooking up.
It took them... uh... 8 years since NTFS4 to build something like ABE. Novell's had this feature since the dawn of mankind.
LVL 23

Expert Comment

ID: 16361450
Novell's had this feature because of a distributed directory across the servers.  It was too "hardware intensive" to get it to work in Windows land before because of the fact that Windows uses centralized domain controllers.
LVL 23

Expert Comment

ID: 16445672
Thanks for the points!

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question