Access based enumeration enables you to configure advanced display options for shared folders. If a user is mapped to a network drive and this network drive has the Access Based Enumeration Feature enabled then this user can only see folders that he has access to. So far so good. Now I’m going to show how to configure this great feature in the graphical interface and – of course – in Windows PowerShell.
But let me first say some things about this feature. The question is why would you want to do this?
A defense of Access Based Enumeration 😉
The first reason is security. Why do you want to show files and folders to users that have no access to it? No need for.
The second reason is user experience. Why do you want to distract user with tons of files and folders that they don’t have access to? Remember: If your users are fine, then you are fine.
Configuring Access Based Enumeration with Server Manager
On the server which holds the shared folder open Server Manager. Click on File and Storage Services.
Next click on Shares.
Select your shared folder and right click it. Select Properties. Activate the checkbox Access Based Enumeration.
Configuring Access Based Enumeration by using Windows PowerShell
Welcome to the Champions League! Who needs Server Manager? 😉
Set-SmbShare -Name Data -FolderEnumerationMode AccessBased
To verify your settings run
Get-SmbShare -Name Data | Select-Object FolderEnumerationMode
To check all your local shares run
Get-SmbShare | Select-Object Name,FolderEnumerationMode
Ok, if this is the first time you’ve heard from this great feature, then you might think “Hmm… does this really works in my environment?” Ok, Ok I will give you preview. So, let’s have a look to the permissions of user Petra. Petra has access to the shared folder Data and to it’s subfolders HR and PR, but not IT.
On the left side you see the server’s view and on the right side Petra’s view. Quite different … Petra does not have access to the IT folder. Therefore she can see only the folders HR and PR.
Have fun with Access Based Enumeration and don’t forget: If your users are fine, then you are fine. 😉
More about File Shares in my blog posts
PowerShell: Find and close open files (SMB Share)
PowerShell: How to create File Shares
Categories: Cyber Security, Windows Server
I have 1 shared folder on the server 2012 R2, if 3 PC are connected no more are accepted, could not reconnect drive folder already in use (maped drive) is it possible to allow more? and how?
I am looking for list of shares that are being currently accessed by a given user.
In other words, is there any command or script available where I can specify username and it lists shares that are being accessed or mapped by that user on all servers in my domain(company)
I think, Access Based Enumeration is a very important function of a fileserver. In shared folders with a very large number of folders, it helps the users to keep the overview. And sometimes it´s not wanted, that users know there are any other folders. So this is a really usefull feature, which should always be enabled.
LikeLiked by 1 person