Q: What is access based enumeration
A: Access-based
enumeration (ABE) displays only the files and folders that a user has
permissions to access. It’s an inbuilt feature in windows server 2012 that you
can enable it by using Share and Storage Management for the share were you want
to enable it.
Example, if you enable access-based enumeration on a
shared folder that contains many users’ home directories (Ill guide you on how
to create users home directories in Active directory), users who access the
shared folder can see only their personal home directories; other users folders
are hidden from view. This can also be used on shares such as common areas,
application areas and so on.
When planning your file server structure you should
always keep in mind how you want to present the shares to the end user. If you
are deploying your file server(s) in a domain with users accessing shared data
in a common location I would suggest you take advantage of ABE or DFS with
domain based namespace
Preliminary Steps: -
- In windows server 2012 server manager go to add roles and features and install File Server role
-
Create
a folder with in a drive that is going to be used as a parent folder
-
Open
server Manager and click file and storage services
- Click on share, point on task and click new share
-
Select
SMB Share-Quick, select type a custom path and browse
- Locate
where the shared folder is and click select folder then next
- Under Share Name give it a
friendly name according to your needs and click next
- Under
other setting that’s where you enable Access Based Enumeration by checking it then
click next
- Under
permission click customize permissions then click disable inheritance
- - Then click remove all inherited permissions from
this object
- - Then click add, select a principal type
administrator and click ok, under type select allow, applies to select this
folder, sub folders and files, then under basic permission click full control
- - Repeat same procedure but this time round add
domain admins
- - The last step is to add domain users but under
applies to select this folder only and under basic permission leave the
defaults, Click apply then ok
- - Click next to view summary then click create and
close
-
ABE is now fully functional but we need to add
individual folders for domain users to that folder with appropriate permission
so that a user can only see what folder is permitted.
Creating home Folders for Domain users in the share
folder with their usernames:
- Open Active directory users and computers
- - Expand the OU (Organizational unit that contains
the users)
- - Select all the users right click, go to
properties and click on the profile tab
-
In the profile tab select the checkbox for the
home folder click connect, drive letter leave it the way it is then in the
to: text box paste the network share
path in the following format \\192.168.2.8\UserData\%username%
-
Click Apply then ok, Users folders will be
created in the SMB share folder with their domain usernames and with individual
rights assigned to the individual folders.
Example With all the users’ folder created and ABE
Implemented assuming the domain has 3 users John, Jane and Tom
The share folder looks like:
- But when john logs to his computer he sees :
In my next blog I’ll be talking about mapping the shared
drive to individual users computers so that they can open it as a mapped drive
and only see their individual folders,
Feel free to contact or make any improvement or correction
to the above blog, hope this helps some Server administrators out there.
