Windows Server 2008: Access Based Enumeration

Windows Server 2008: Access Based Enumeration

  • Comments 7
  • Likes

Last week during a community meeting I was talking to Kurt Roggen about all the cool new features  in Windows Server 2008. While talking we came to the discussion if Access Based Enumeration (ABE) was still implemented and if we had a GUI to enable it.

Before we start talking about ABE in Windows Server 2008 I would like to set the stage and explain very briefly what ABE does.

ABE filters shared folders visible to a user based on that individual user’s access rights, preventing the display of folders or other shared resources that the user does not have rights to access.

End users see only what files and folders they need for their responsibilities rather than spending time looking through lists of inaccessible folders and files. Administrators can be more productive because they do not have to help less-skilled users navigate through dense shared folders. Administrative inefficiencies can consume resources as surely as technical problems, and minimizing time-consuming problems help make any IT organization more productive.

ABE was introduced in Windows Server 2003 SP1 as an additional install, once installed you could manage ABE through a GUI, cmd-line tool or using the API's.

Check out the details for Windows Server 2003 ABE: http://www.microsoft.com/windowsserver2003/techinfo/overview/abe.mspx

Now the good news is yes we still have ABE in Windows Server 2008 and we have a GUI where you can enable this. Let me explain to you how you do it:

 

1. Open the "Share and Storage Management" MMC and Provision a new share.

image

2. Follow all steps to create a share and when are at the SMB Settings window, which is shown below, click on the Advanced button.

image


3. In the Advanced window you are able to Enable or Disable ABE, by default it's enabled.

image


So basically you don't have to do anything to enable ABE on you shares.  The screenshots above show you how you can create/provision a new share using the GUI. The ABE is also enabled if you create the share through the folder directly by right clicking onto the folder and select share. However if you create a share through the command prompt using the "net share" command it won't be enabled by default.

You can always enable / disable the ABE after you created the share by using the "Share and Storage Management" MMC just right click onto a share and hit the advanced button. So far I didn't found any cmd-line tool to enable or disable ABE.

image

 

Comments
  • PingBack from http://www.jedi.be/blog/2007/09/23/links-for-2007-09-23/

  • I'm having problems getting ABE on a 2003 SP2 Server to Run. Its running Standard edition.

    I installed it but can still see everything I'm not supposed to see.

  • Thanks for the article. In my experience when provisioning a share through the Share and Storage Management (or when creating a share through the Windows Explorer GUI), ABE is not enabled by default, despite what the article says (as of 8/21/2008). Perhaps this is a change in behavior in RTM.

    Strange that there's no way to set or check the ABE parameter through Windows Explorer in WS2008. In WS2003 SP1 when you installed the ABE tools, you got a new tab in the Properties screen that let you turn ABE on or off for the share. Too bad this is missing in WS2008.

  • We are use the ABE in windows 2003 SP1 but in 2008 it advance but its not work properly, means i am enable the selected share folder but till its seen to all user. So its importance that how its applicable can all client system need restart ? for applied this ABE in windows 2008 server

  • for cmd-line tool you can use abecmd.exe from ABEUI.msi for W2K3 or ShrFlgs.exe from http://www.joeware.net/win/free/tools/shrflgs.htm or http://msdn.microsoft.com/en-us/library/bb525404(VS.85).aspx  

    for your own code  

    Many greetings

    Michael

  • Arlindo - Any chance you can provide a copy of ABEUI.msi? MS links are all broken to get that file.

  • www.microsoft.com/.../details.aspx

    Michael, the link above should work.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment