Tech Tips

Access-based Enumeration (ABE) hide the objects (files and folders) from users who don’t have NTFS permissions on a network shared folder.

Access-based Enumeration (ABE) checks access permissions on file system objects before the user receives a list of the folder contents. All inaccessible resources are simply not displayed.

And for a user from another department, e. g., IT department (which is included in another Windows security group), a different list of subfolders is shown. In addition to the Public and Warehouse directories, this user sees 5 more directories in the same network folder.

Access-Based Enumeration Restrictions. Access-based Enumeration on Windows doesn’t work in the following cases:

1. Windows XP or Windows Server 2003 without Service Pack 1 as a file server;
2. Viewing from local server
3. Administrators group with full access

Enabling ABE on Windows Server 2008/ 2008 R2

Windows Server 2008/R2 to enable the Access Based Enumeration option no additional components need to be installed, The ABE management feature is already built into the Windows GUI. To activate Access-based Enumeration for a specific folder in Windows Server 2008/2008 R2, go to the MMC management console Share and Storage Management (Start –> Programs –> Administrative Tools -> Share and Storage Management). Check to the properties of the necessary share. Please go to the Advanced settings and verify Enable access-based enumeration.

Enable the option Activate Access-based Enumeration on Windows Server 2012 R2/ 2016

ABE configuration in the Windows Server 2012 R2 / 2016 is also very easy. To activate ABE in Windows Server 2012, we have to install File and Storage Services role, after installation go to the share properties in the Server Manager.

In Settings section check the option enable access-based enumeration.

HandlingAccess Based Enumeration Using PowerShell

We can use the SMBShare PowerShell module in Windows 10/ 8.1 and Windows Server 2016/2012 R2 to handle the settings of Access Based Enumeration for required folders. Let us list the details of a specific shared folder:

Get-SmbShareInstall|fl *

The value of the FolderEnumerationMode attribute. In this case, its showing the value is Unrestricted. Which means that ABE is disabled for this folder. Also we can check the status of ABE for all shared folders of the server:

Get-SmbShare | Select-Object Name,FolderEnumerationMode

To activate ABE for a specific folder:

Get-SmbShare Install | Set-SmbShare -FolderEnumerationModeAccessBased

You can activate Access Based Enumeration for all published network folders.

To disable ABE use the command:

Get-SmbShare Install | Set-SmbShare -FolderEnumerationMode Unrestricted

At Velan, our server support engineers can help you with core features on your server. If you are interested in our service, please fill the Quick connect form to get in touch with us.