Windows 2008 Access-Based Enumeration

Posted on 2012-09-08
Last Modified: 2012-09-08
I am trying to get the windows 2008 Access-Based Enumeration working with NO luck.

I have created a share using the MMC  Share and Storage Management.
Test user =  Jtesting
Domain membership  = Domain users
Provision Share
Physical location e:\Jayson
Share name =  hidden

Permissions are full control Domain Admins

When accessing the shares from a windows xp machine as user jtesting I  expect Not to see the folder  “Hidden” .  however I am seeing the folder as screen shot Folder indicates.  The test user has no access to the folder.  

So how do I prevent the users from seeing the folders.  Have I missed a step in the setup?
MMC starting pointhiddenhidden advhiddent ntfshidden sharejtesting domain membershipshared folders from workstaiton
Question by:JaysonJackson
    LVL 82

    Accepted Solution

    Access Based Enumeration does not hide the share that has ABE enabled; it hides folders inside that share for which the users has no access.
    So currently, the test user may be able to see the share, but he should not be able to access it.
    To test ABE, create a share for which the user has permissions, then create one subfolder inside that share for which he does have permissions, and one for which he does not have permissions. When the test user changes into the shared folder, he should only see the one folder he has permissions for.
    Note that "hiding" the share by adding a "$" to the share name does not hide the share, either. The "$" is the server's wish to the client(!) to not show that share when listing shared resources, but it's up to the client whether it respects this or not. There have always been tools to show those "hidden" shares, and since Windows Vista, "net view" supports the argument "/all", which will show hidden shares of a server as well.
    Note, too, that ABE will never apply to users with local administrator permissions on the machine hosting the share, even of this administrator account may not have permissions on a folder. Administrators are always exempt from ABE.

    Author Closing Comment

    Thanks for the great feedback.  this helps quite a bit. thanks again.

    Featured Post

    Do email signature updates give you a headache?

    Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

    Join & Write a Comment

    Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
    Microsoft has released remote PowerShell capabilities to all commercial Office 365 customers. So you can be controlled via PowerShell and not from the Office 365 admin center Download Windows PowerShell Module for Lync Online http://www.micros…
    This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now