Cyber Security

Display only Folders that a User has Access: Configuring Access Based Enumeration on Windows Server 2012/2016

By on ( 3 Comments )

Access based enumeration enables you to configure advanced display options for shared folders. If a user is mapped to a network drive and this network drive has the Access Based Enumeration Feature enabled then this user can only see folders that he has access to. So far so good. Now I’m going to show how to configure this great feature in the graphical interface and – of course – in Windows PowerShell.

But let me first say some things about this feature. The question is why would you want to do this?

A defense of Access Based Enumeration 😉

Security

The first reason is security. Why do you want to show files and folders to users that have no access to it? No need for.

User Experience

The second reason is user experience. Why do you want to distract user with tons of files and folders that they don’t have access to? Remember: If your users are fine, then you are fine.

Configuring Access Based Enumeration with Server Manager

On the server which holds the shared folder open Server Manager. Click on File and Storage Services.

1.PNG

Next click on Shares.

2.PNG

Select your shared folder and right click it. Select Properties. Activate the checkbox Access Based Enumeration.

4.PNG

Configuring Access Based Enumeration by using Windows PowerShell

Welcome to the Champions League! Who needs Server Manager? 😉

Set-SmbShare -Name Data -FolderEnumerationMode AccessBased

1.PNG

To verify your settings run

Get-SmbShare -Name Data | Select-Object FolderEnumerationMode

1.PNG

To check all your local shares run

Get-SmbShare | Select-Object Name,FolderEnumerationMode

1.PNG

The Impact

Ok, if this is the first time you’ve heard from this great feature, then you might think “Hmm… does this really works in my environment?” Ok, Ok I will give you preview. So, let’s have a look to the permissions of user Petra. Petra has access to the shared folder Data and to it’s subfolders HR and PR, but not IT.

On the left side you see the server’s view and on the right side Petra’s view. Quite different … Petra does not have access to the IT folder. Therefore she can see only the folders HR and PR.

Have fun with Access Based Enumeration and don’t forget: If your users are fine, then you are fine. 😉

See also

More about File Shares in my blog posts

PowerShell: Find and close open files (SMB Share)

PowerShell: How to create File Shares

Categories: Cyber Security, Windows Server

Tagged as: , , , , ,

Published by Patrick Gruenauer

Microsoft MVP on PowerShell [2018-2023], IT-Trainer, IT-Consultant, MCSE: Cloud Platform and Infrastructure, Cisco Certified Academy Instructor.

3 replies »

  1. hi

    I have 1 shared folder on the server 2012 R2, if 3 PC are connected no more are accepted, could not reconnect drive folder already in use (maped drive) is it possible to allow more? and how?

    Like

    Reply

  2. I am looking for list of shares that are being currently accessed by a given user.

    In other words, is there any command or script available where I can specify username and it lists shares that are being accessed or mapped by that user on all servers in my domain(company)

    Like

    Reply

  3. Hi Patrick,

    I think, Access Based Enumeration is a very important function of a fileserver. In shared folders with a very large number of folders, it helps the users to keep the overview. And sometimes it´s not wanted, that users know there are any other folders. So this is a really usefull feature, which should always be enabled.

    Liked by 1 person

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.