Access Based Enumeration (ABE) and down folder permissions

Posted on 2006-04-03
Last Modified: 2008-04-15

You have Windows 2003 with SP1 for server01.  It has share1 with Access
Based Enumeration enabled.  You have setup four departments with a
folder per department on the share and members of each department can
see their department's folder and work within that folder.


        \Human Resources
                Access granted to: Theresa and Deb
        \Information Technology
                Access granted to: Jeff and Andy
                Access granted to: Mark
                Access granted to: Kim and Carolyn


The Sales department is working on a new project that will require
Marketing's assistance.  The Sales department has a folder in their
folder named "Projects".


They would like to create a folder named "2006 Campaign" and grant
Mark in Marketing access to use that folder.

\\Server01\Share1\Sales\Projects\2006 Campaign

Ideally you would like it so once they add the permissions the Sales
folder appears to Mark.  Then Mark would be able to open the Sales
folder and only see the Projects folder.  Inside that he would only see
the "2006 Campaign" folder.  Can and how would this be achieved?

I have discovered a partial solution.  If at the top level (either
share or each folder under the share) you add the "Everybody" or
"Domain Users" group and grant the "List Folder Contents"
option and then force that down it almost works.  The users are then
able to see the files that they were granted access to.  The problem is
they see all folders and the tree structure.  In the scenario above
they would see every folder in every directory, whether they have
access to a file in that folder or not.  I would like to "hide"
anything they have not been granted access to.  So until Kim granted
Mark access to the "2006 Campaign" folder he would not have even
seen the Sales folder.  Additionally, once she removed his access, the
Sales folder would disappear.

With Access Based Enumeration I would imagine this would be possible
Question by:chealey
    LVL 23

    Assisted Solution

    What you said in that last paragraph is just how it works (at least in my explorations).

    ABE is basically like Novell's "List Folders/Files" rights.  If you don't have that right, you don't see the folder.

    I understand what you are trying to accomplish, but it simply doesn't work that way, that I can figure out.

    You'd probably have to just create a share at the root level for them, or you might be able to try something like a shortcut in the Marketing folder that points to the full UNC path of \\Server01\Share1\Sales\Projects\2006 Campaign.  That might get them there.
    LVL 12

    Accepted Solution

    You can assign the Marketing group READ-ONLY rights on the Sales root folder, but before applying go to the Advanced button and select "This folder only" from the drop down list.

    Repeat that for the Projects folder.

    The marketing group will now only see the folders they need access to, ABE restricts them from viewing the other folders in the Sales folder.

    Albeit not automatically, this will do what you want. Not as nice as Novell's implementation of it, ABE still needs some work.
    LVL 1

    Author Comment

    Let me try to clear things up a bit . . . The problem is that we are just trying to do one share - one entry point for all possible folders that are below that point that a user would be assigned access. We do not what to manage many shares or root mappings as there would be nearly and infinte amount of combinations.

    In NetWare let's say that there was a Departmental Share folder on Vol1 - this is where we would map root the S: drive to. In that folder we would have our departments listed as folders and have like named groups assigned to have access to those folders. Now a memebr of the Sales group opens thier S: Drive and only sees the Sales folder. Should that person later be given access to a file in Marketing - let say it is a few levels down - vol1\Departmental Share\marketing\2006\april\new widget\bigshow.ppt. Now when he opens the S: Drive he will now see the Marketing folder but not HR or any other folders, inside of that he will see the 2006 Folder but not 2005 or other files and folders, and inside of that he will see only April and so on.

    That same scenario above now with Microsoft and Access Based Enumeration the user would see all the departmental folders and when he opens the Marketing folder he will see the entire folder structure of Marketing but no files nor will he have access to the folders i.e. 2005, 2004, clients, etc. When he opens S:\marketing\2006\ he will see January, February, and March and if he was to try to open those he would be denied access. Any files that would be there are still hidden but then when he opens April's folder he will see all folders there such as small widget, big widget, old widget, etc. NetWare would only show you what you need to see to get to the objects that you have access to with nothing needed done access-wise to parent folders - a reverse inheritance if you will.

    To get here we had to add List Folder Contents to the Everyone object (actually we left that and removed the Read & Read and Execute Permissions) - otherwise the default would also show files but would deny access. If we remove the everyone object then the user would not see anything unless they were explicitly given access to the department folder even though they were assigend full acces to a folder below (say the new widget folder in the NetWare example) - there does not seem to be that 'reverse inhertance' logic with Access Based Enumeration - or I am thinking too NetWare-like still?

    We are quite large and expect that there are going to be MANY files and folders but would like to limit the scope of what is seen to the people outside the department. It is good that it is secure but to some it would be overwelmingly confusing to see that many objects.
    LVL 12

    Expert Comment

    Agreed, complex folder structures can be a PITA.

    Access-based enumeration is (unfortunately) strictly about showing what you have access to - it still doesn't solve the reverse inheritance issue.

    Guess that won't be until NTFS version 6 or whatever Microsoft's cooking up.
    It took them... uh... 8 years since NTFS4 to build something like ABE. Novell's had this feature since the dawn of mankind.
    LVL 23

    Expert Comment

    Novell's had this feature because of a distributed directory across the servers.  It was too "hardware intensive" to get it to work in Windows land before because of the fact that Windows uses centralized domain controllers.
    LVL 23

    Expert Comment

    Thanks for the points!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now