Access Based Enumeration in Windows Server 2003 (with SP1)

Windows Server 2003 has a tool called ABE. From the documentation it seems to be a great tool to use if you are migrating from Novell Netware file servers. It is supposed to allow users see only the folders they have access to and hide the folders, where they have no access to.

This is useful for obvious reasons: you don’t want your users calling you every other day to tell you they can’t find their folders. Well ABE works, but… Here’s the surprising part: it only works for 1^st level folders. Meaning that if a user has access to folder C that is in folder B, to which that user does not have access, he will not see folder B (and therefore C as well). This is obvious when you take into account NTFS design: a user needs traverse permission to be able to reach C via direct path (B/C) and List folder contents permission to reach C by browsing to B. The only solution is to grant the user List folder content access to all folders. However with that, we end up in the starting point where the user sees all available shares instead of those he only has permissions to.

This means that when migrating from Novell we will often have to do some re-design of the folder access approach, e.g. scripts mapping the drives by group membership, redesigning the folder structure to a more flat hierarchy and then use ABE.