Saturday, November 7, 2009

Access-based Enumeration

Access-based Enumeration was first introduced in Windows Server 2003 Service Pack 1. This feature allows users to only see files and folders to which they have access when browsing content on a windows file server. This eliminates confusion to end users when having a large amount of folders to which they don't have access to.

There is a brilliant white paper written by Microsoft for Server 2003 on ABE (Access-Based Enumeration) which can be downloaded here.

As explained in the microsoft white paper to enable access-based enumeration you use the abecmd commandline tool.

abecmd /enable 10.0.0.2 “Customer Accounts"

10.0.0.2 being the file server
"Customer Accounts" being the share for which ABE is being enabled.

There is also a handy technet article on Access-Based Enumeration for Server 2003 which can be find here:

http://technet.microsoft.com/en-us/library/cc784710(WS.10).aspx

In server 2003 however you could not enable Access-based enumeration against a DFS Namespace share.

Now in Windows Server 2008 DFS you can enable access-based enumeration on a DFS namespace by using the dfsutil command line tool as follows:

dfsutil property abde enable \\<namespace root>

For more information about access-based enumeration on 2008 DFS Namespaces see:

http://technet.microsoft.com/en-us/library/dd919212(WS.10).aspx

2 comments:

  1. "In server 2003 however you could not enable Access-based enumeration against a DFS Namespace share."

    I believe you could. We've been doing it since 2003 sp1

    ReplyDelete
  2. I looked into this more closely - it was in the original 2008 release notes however what is new is the ability to enable access based enumeration from the DFS management console not the DFSutil command. Good find mate!

    http://blogs.technet.com/b/aralves/archive/2007/09/20/windows-server-2008-access-based-enumeration.aspx

    ReplyDelete