John Howard - Senior Program Manager in the Hyper-V team at Microsoft

Senior Program Manager, Hyper-V team, Windows Core Operating System Division.

Blogs

Blogcast: Access Based Directory Enumeration (A Windows Server 2003 SP1 New Feature)

  • Comments 11
  • Likes
Find out about one of those really cool new features of Windows Server 2003 SP1, Access Based Directory Enumeration in this latest blogcast recording. In a nutshell, ABDE causes the server to examine access rights to sub-directories on a share, only showing the user those directories to which they have access. If you want to find out how this works in under 4 minutes, click here to view.

Currently there is no capability from the GUI to turn this feature on - unfortunately you'll need to use Win32 APIs. Maybe this will change at a future date, but for now you'll probably need a developer buddy to help you... :-)  They will need to know the following: The specific API is NetShareSetInfo, and specifically setting a flag to enable ABDE that points to a SHARE_INFO_1005 structure. The flag value for Access Based Directory Enumeration is #define SHI1005_FLAGS_ENFORCE_NAMESPACE_ACCESS 0x0800.

Update 30th March 2005 - Here's the link to be able to download the tool. I'm reliable informed that a whitepaper and the tool will be on microsoft.com soon. http://blogs.technet.com/jhoward/archive/2005/02/22/378033.aspx

So far, I haven't had any success trying to set this property through the ADSI IADsFileShare object, or even sure that it is possible. If you get there before me, please let me know! Unfortunately, you can't hide shares using this mechanism - there's still just the old "$ suffix" trick. Remember, if this is important to you, you can use the windows server feedback site.

Edited by John: 3rd Nov 2005 - Rehosted WMV file

Comments
  • Hi, I have no knowledge as a developer so it will be great if you post or send on email the .exe file to enable this feature.

  • I've asked the author whether this is possible and will let you know when I get an answer. For now though, and to the many who sent me direct emails, unfortunately I'm not able to post this without that permission.

  • Hey John, thanks for the blog entry.

    If you don't know me, I am the joeware guy and write all sorts of tools for MS OSes.

    Anyway a conversation on activedir.org listserv prompted me to check out this blog entry which prompted me to write a command line tool to enable ABE funcitonality. Well actually the tool allows you to view share info and set any of the flags. You can find the tool at

    http://www.joeware.net/win/free/tools/shrflgs.htm

  • Hi Joe - yes, have seen your site in the past - there's some pretty cool stuff up there. Quick work writing that utility - thanks and a definite one to add to the toolbox expecially with some of those other settings you've added. FWIW I've now got permission to upload the utility I used in the blogcast as well, but can't until Monday unfortunately :-(

  • Thanks a lot for this tool, works perfect. Again Thanks !!!!!

  • Following my blogcast in February and subsequently posting the markShareforABDE tool for download...

  • Following todays webcast on Windows Server 2003 SP1, here's the blogcast on Access Based Enueration I...