Wednesday, July 6, 2016

Bug with Windows 7 and Access Based Enumeration

I encountered an interesting bug with Windows 7 workstations with Access Based Enumeration enabled on a SMB Share and DFS Namespace running on Windows Server 2012 R2.

When a user tries to create a file or folder under a location which they have "Full Modify Rights" in Windows Explorer they receive the following error:

Drive Mapping refers to a location that is unavailable. It could be a hard drive on this computer, or on a network. Check to make sure that the disk is properly inserted, or that you are connected to the Internet on your network, and then try again. If it still cannot be located, the information might have been moved to a different location.


This issue occurs under the following circumstances:
  • Access Based Enumeration is enabled on a Network Share or DFS Namespace
  • If a Mapped Network Drive is created to the Share
  • The user is connecting from a Windows 7 workstation.

The Windows 7 client works under the following circumstances:
  • If the user creates a file from an application such as Microsoft Word (not Windows Explorer) using a mapped network drive to the folder share, it works corrctly.
  • If the user opens the UNC Path of the share \\server\share\folder, not via the mapped network drive it works correctly.
Note: If the user connects from 2008 R2, Windows 8.1 or Windows 10 it connects without issues.

When setting up Access Based Enumeration, the root folder should have:
  • List Folder / Read Data
  • Applies to "This Folder Only"
This ensures that users have the rights to list all folders at the base level folder for Access Based Enumeration, but requires additional rights to all sub folders hence the folders "hidden" as expected.

The root level permissions are shown below.  All sub folders are provided with full modify permissions for the respective security groups.

This works with 2008 R2, Windows 8.1 and Windows 10.

 
With Windows 7 clients they need additional permissions granted at the root level folder including:
  • Transverse folder / execute file
  • List folder / read data
  • Read Attributes
  • Read extended attributes
  • Read permissions
 
These extra permissions at the root level folder are only required if:
  • You run Access Based Enumeration
  • You have Windows 7 Clients on the network

1 comment:

  1. Is it really workable on Window 7 with "Read Extended Attributes"?
    Moreover, I tried this "If the user creates a file from an application such as Microsoft Word (not Windows Explorer) using a mapped network drive to the folder share, it works correctly." But it didn't work.
    To Do List Template

    ReplyDelete