Windows Server 2008: Access Based Enumeration
Last week during a community meeting I was talking to Kurt Roggen about all the cool new features in Windows Server 2008. While talking we came to the discussion if Access Based Enumeration (ABE) was still implemented and if we had a GUI to enable it.
Before we start talking about ABE in Windows Server 2008 I would like to set the stage and explain very briefly what ABE does.
ABE filters shared folders visible to a user based on that individual user’s access rights, preventing the display of folders or other shared resources that the user does not have rights to access.
End users see only what files and folders they need for their responsibilities rather than spending time looking through lists of inaccessible folders and files. Administrators can be more productive because they do not have to help less-skilled users navigate through dense shared folders. Administrative inefficiencies can consume resources as surely as technical problems, and minimizing time-consuming problems help make any IT organization more productive.
ABE was introduced in Windows Server 2003 SP1 as an additional install, once installed you could manage ABE through a GUI, cmd-line tool or using the API's.
Check out the details for Windows Server 2003 ABE: http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx
Now the good news is yes we still have ABE in Windows Server 2008 and we have a GUI where you can enable this. Let me explain to you how you do it:
1. Open the "Share and Storage Management" MMC and Provision a new share.
2. Follow all steps to create a share and when are at the SMB Settings window, which is shown below, click on the Advanced button.
3. In the Advanced window you are able to Enable or Disable ABE, by default it's enabled.
So basically you don't have to do anything to enable ABE on you shares. The screenshots above show you how you can create/provision a new share using the GUI. The ABE is also enabled if you create the share through the folder directly by right clicking onto the folder and select share. However if you create a share through the command prompt using the "net share" command it won't be enabled by default.
You can always enable / disable the ABE after you created the share by using the "Share and Storage Management" MMC just right click onto a share and hit the advanced button. So far I didn't found any cmd-line tool to enable or disable ABE.
