ABE (Access Based Enumeration) WSE2012


I have turned on the ABE on a shared folder.
Unfortunately, despite removing the selected user for the security & sharing permissions, the share is still visible to those who shouldn t see it?

Any ideas why?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

As far as my understanding goes ABE only works on NTFS permissions not on share permissions. If you don't want users to see a specific share share it hidden (using the $ sign at the end of the share name).

Also, normally, in basic NTFS security setting, the everyone group has full control on share level (or read/write) and permissions are set on NTFS level, meaning they are able to see the share.
Hi defrey,
ABE is not belonging to the sharing permissions. Only to the NTFS Security.

Here an example:

We have a share on a server : \\srv-file01\SHARE
This share contains some folders

I apply ABE on \\srv-file01\SHARE and set NTFS permission on each subfolder (USER1 for FOLDER1, USER2 for FOLDER2, ...)

I log in a client with USER1 and browse \\srv-file01\
I see  \\srv-file01\SHARE. I enter it and I see only FOLDER1

Now I share FOLDER3 with everyone full control on share permission.
I log with USER1 and browse \\srv-file01\
Now I see 2 shares : \\srv-file01\SHARE and \\srv-file01\FOLDER3
If I enter in SHARE, I always see only FOLDER1
If I try to enter in FOLDER3, I have an access denied.

Now I share FOLDER3 with only administrator full control on share permission.
I log with USER1 and its the same as previous.

So we can conclude that Share Permission doesn't have any effects on ABE.
You can hide a share with ABE if you apply ABE on a top share but the share can still been viewed when browsing the server.
If you want to hide this sub-share from browsing the server, use SUBSHARE$

Hope this makes it clear what to do to solve

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
defreyAuthor Commented:
Wow, thank you so much!

What do you mean by subshare$?
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

That means you should share the subfolders with the $. With that you can remove them from browsing the server view.
defreyAuthor Commented:
Hmmmm not sure if I understand that correctly. Could you please show me an example? Thanks
defreyAuthor Commented:
got it! : - )
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.