Viewing Accessible Shares Over Network

Is there a way to causes users to only see the Shares to which they have access when they browse to a file share server?  I realize the Access-based Enumeration  doesn't show files and folders to which they don't have access -- but I need users to not see Shares to which they have no access?  I'm migrating a file share server, and trying to find the easiest way for users to remap their shares.  They will often not recognize the names of shares they normally use.  The new file share server will be running Win 2012 R2.  I'm robocopying the files, exporting the registry for permissions -- I just need a user re-map strategy. Ideas appreciated - they could figure out right-click map if they only saw the appropriate shares.
Thanks.
apsutechteamAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Larry Struckmeyer MVPCommented:
Hi:

I puzzled over this when I first saw it but concluded it was my lack of understanding and someone else would jump in with the answer.  Since it has turned up as unanswered I have to ask what exactly is your question?   This part of your question:  I realize the Access-based Enumeration  doesn't show files and folders to which they don't have access -- but I need users to not see Shares to which they have no access?  seems to be the correct answer, even if you haven't realized it.  If the users who connect to a server and browse the share list they will not see those that they have been excluded from with ABE.  Here is one example of how to implement in Server 2012 R2

http://heineborn.com/tech/enable-access-based-enumeration-in-windows-server-2012/

So either I don't understand the question or you have not implemented ABE as described.
0
kevinhsiehCommented:
I don't let users browse shares. All of my real shares are hidden such as \\server\sharename$. I have one visible user share, and that is my domain based DFS namespace root at \\domain.local\dfs . Everything is hung off of that DFS namespace root. Here are some examples:

\\domain.local\dfs\Branch1\Users  --> \\branch1\users$
\\domain.local\dfs\Branch1\Departments   --> \\branch1\Depts$
\\domain.local\dfs\Corporate\Users  --> \\server1\users$
\\domain.local\dfs\Corporate\Departments  --> \\server2\users$
\\domain.local\dfs\Software  --> \\branch1\software$ and \\servers\software$

If you browse \\Server1, \\server2, or \\branch1 you won't see any of the shares. You would only see the SYSVOL and NETLOGON shares on the domain controllers, and you would see DFS on your namespace server(s). You can even hide the DFS namespace, so you can map to \\domain.local\dfs$\Corporate\Users, or just \\domain.local\dfs$ and users can browse to all of the shares from there.
0
McKnifeCommented:
"and users can browse to all of the shares from there" - and that is what he doesn't want. Not all shares but only accessible shares should show. But that is not possible with ABE.
0
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

Larry Struckmeyer MVPCommented:
My bad... ABE indeed will not hide shares.  The only way I know to hide shares is as kevinhsieh says, add a $ to the end of the share name.  But then you have to map a drive letter for every user to every share they actually have access to.

This has been a subject of much head scratching for as long as Windows file servers have existed.  But it is not that big a deal really as users soon forget about the ones they can't access.  Consider netlogon and sysvol... they cannot be hidden but users don't spend any time trying to access them.

If you really have a share, say "Secret Corporate Data" that is available only to the Big Wigs, add the $ to the end of the share name such as "Secret_Data$" and map a drive letter for them.  A GPO applied to the Big Wig OU would be the way to do it.  And teach them to log off when not at their desks.  This assumes, of course, that such share names that would cause users to wonder are available only to a select few users.
0
kevinhsiehCommented:
You can possibly hide DFS namespace links in my method using ABE. That would keep shares and directories hidden from Windows users. I don't think it does anything for Mac and Samba clients from 15 years ago would show the hidden$ shares.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
apsutechteamAuthor Commented:
It seems you can limit the view using DFS and Access Based Enumeration - through additionally setting the 'view' permissions in DFS.

Thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.