SID-500

Home » Security » Display only Folders that a User has Access: Configuring Access Based Enumeration on Windows Server 2012/2016

Display only Folders that a User has Access: Configuring Access Based Enumeration on Windows Server 2012/2016

Access based enumeration enables you to configure advanced display options for shared folders. If a user is mapped to a network drive and this network drive has the Access Based Enumeration Feature enabled then this user can only see folders that he has access to. So far so good. Now I’m going to show how to configure this great feature in the graphical interface and – of course – in Windows PowerShell.

But let me first say some things about this feature. The question is why would you want to do this?

A defense of Access Based Enumeration 😉

Security

The first reason is security. Why do you want to show files and folders to users that have no access to it? No need for.

User Experience

The second reason is user experience. Why do you want to distract user with tons of files and folders that they don’t have access to? Remember: If your users are fine, then you are fine.

Configuring Access Based Enumeration with Server Manager

On the server which holds the shared folder open Server Manager. Click on File and Storage Services.

1.PNG

Next click on Shares.

2.PNG

Select your shared folder and right click it. Select Properties. Activate the checkbox Access Based Enumeration.

4.PNG

Configuring Access Based Enumeration by using Windows PowerShell

Welcome to the Champions League! Who needs Server Manager? 😉

Set-SmbShare -Name Data -FolderEnumerationMode AccessBased

1.PNG

To verify your settings run

Get-SmbShare -Name Data | Select-Object FolderEnumerationMode

1.PNG

To check all your local shares run

Get-SmbShare | Select-Object Name,FolderEnumerationMode

1.PNG

The Impact

Ok, if this is the first time you’ve heard from this great feature, then you might think “Hmm… does this really works in my environment?” Ok, Ok I will give you preview. So, let’s have a look to the permissions of user Petra. Petra has access to the shared folder Data and to it’s subfolders HR and PR, but not IT.

On the left side you see the server’s view and on the right side Petra’s view. Quite different … Petra does not have access to the IT folder. Therefore she can see only the folders HR and PR.

Have fun with Access Based Enumeration and don’t forget: If your users are fine, then you are fine. 😉

See also

More about File Shares in my blog posts

PowerShell: Find and close open files (SMB Share)

PowerShell: How to create File Shares


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

GET-AUTHOR

My name is Patrick Grünauer. Microsoft MVP. I am from Austria. On sid-500 I write about Windows, Cisco and IT-Security in English and German. Have fun while reading!

Categories

Patrick Gruenauer
Follow SID-500 on WordPress.com