Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Windows 10 / Enable Access-based Enumeration (ABE) on Shared Folders (SMB)

July 24, 2024

Enable Access-based Enumeration (ABE) on Shared Folders (SMB)

Access-based Enumeration (ABE) is a shared folder option in Windows that allows to hide files and folders that users don’t have permission to access. ABE is used to hide the directory structure and the names of folders and files, and to limit the number of items in a particular user folder view for a shared network folder.

Contents:
  • Using Access-based Enumeration on Windows Server
  • Managing Access-based Enumeration from the Command Prompt (PowerShell)

Using Access-based Enumeration on Windows Server

Let’s say there is a shared network folder on a Windows file server containing the public directories of several departments. All users can see the list of directories in this share. This is done by assigning the List Folders or Browse Folders permissions for the built-in Users group to the root of the folder only. The user will only be able to open the subdirectory if their account is added to the NTFS access list.

implementing abe on windows shared folder

Let’s assume that a user is added to the AD security groups that allow two sub-directories to be opened (Public and Salary).

Add user to security access groups in AD

These AD security groups are added to the NTFS permissions of the corresponding sub-directories in a share. Permissions that grant access to sub-folders for the Domain Users group or the Builtin\Users group have been removed from the ACLs.

Assign shared folder ntfs permissions to AD groups

To enable ABE on a shared folder, open the Server Manager console -> select the File and Storage Services role -> Shares. Open the share properties and enable the Enable access-based enumeration option on the Settings tab.

Server Manager: enable access based enumeration for a shared folder

Refresh shared folder contents in a user session (press F5 in the File Explorer). Now the user sees only two directories that he can access. The rest of the sub-folders are not visible to the user.

abe-enabled share: user sees only folders has access to

In addition, you can enable ABE on computers in the AD domain using Group Policies. This can be done using the GPP option under Computer Configuration -> Preferences -> Windows Settings -> Network Shares. enable abe using gpo

Enabling Access-based Enumeration will enable ABE mode for the shared folder published by this GPO.

Managing Access-based Enumeration from the Command Prompt (PowerShell)

You can also enable ABE for a shared network folder from the PowerShell command prompt.

This allows enabling Access-based Enumeration for shared folders on workstations running desktop OS versions (Windows 10 or 11).

For example, to enable access base enumeration mode for a shared folder named DOCS, run the command:

Get-SmbShare DOCS | Set-SmbShare -FolderEnumerationMode AccessBased

List all shared folders (including Windows administrative shares) and the status of the ABE option:

Get-SmbShare | Select-Object Name,FolderEnumerationMode

The value FolderEnumerationMode = AccessBased indicates that access-based enumeration is enabled.

powershell: enable access-based enum on share

Disable ABE for a share:

Get-SmbShare DOCS | Set-SmbShare -FolderEnumerationMode Unrestricted

To enable Access-based enumeration on a Linux Samba server, add the following options to the smb.conf configuration file

hide unreadable = Yes

The shared folders themselves, to which the user doesn’t have access permissions, can be hidden from the network environment using another Samba option.

access based share enum = Yes

In a corporate environment, ABE works perfectly with DFS folders by hiding unused folders from users and providing a more convenient public folder tree structure.  You can enable ABE in DFS using the DFS Management snap-in or dfsutil.exe command:
dfsutil property abde enable \\namespace_root

Other features and limitations of Access-based enumeration on Windows

  • Enabling ABE on a file server may increase the load on the host. There may be a slight delay when refreshing a list of files in an ABE-enabled folder containing thousands of items. For example, folder access will slow down by 1-3 seconds if there are 15,000 objects in a shared folder.
  • When browsing a directory locally on the file server, ABE is not used.
  • Members of the local Administrators group on the file server will always see a full list of the items in a shared folder.
5 comments
1
Facebook Twitter Google + Pinterest
PowerShellWindows 10Windows Server 2019
previous post
How To Monitor Group Membership Changes in Active Directory
next post
Managing Printers from the Command Prompt in Windows

Related Reading

How to Disable UAC Prompt for Specific Applications...

March 11, 2024

Fix: Photos App in Windows 10 Opens Extremely...

April 19, 2023

How to Get My Public IP Address with...

October 24, 2023

Fix RDP Connection Error ‘CredSSP Encryption Oracle Remediation’

July 23, 2024

How to Create Multiple Partitions on a USB...

March 13, 2024

Disks and Partitions Management with Windows PowerShell

March 11, 2024

How to increase KMS current count (count is...

March 12, 2024

Auto-mount VHD/VHDX File at Startup in Windows

February 20, 2024

5 comments

Steve August 22, 2016 - 2:43 pm

Just wanted to wake this post up with a Thank you,  Top marks on the tutorials above made my live a little easier with 2012r2…  I can build a domain from scratch but could I find access enumeration after looking at it in the face…. not with out the above I could not.  Thank you

Reply
Dario June 5, 2017 - 7:58 am

Is it possible to disable ABE in Windows Server 2012 for new directories?
I would like to set to “false” the default value of ABE, now all new directories are created with ABE set to true.
Thanks
D.

Reply
admin June 7, 2017 - 5:43 am

You can enable/disable ABE for all shares at once using abecmd (www.microsoft.com/en-us/download/details.aspx?id=17510):
abecmd /enable /all
Or individually for each shared folder:
Set-SmbShare -Name "ShareName" -FolderEnumerationMode AccessBased

Reply
Thomas October 13, 2022 - 10:17 am

I try to use this with a share on a Windows 10 computer. Is this really possible?

Reply
admin October 16, 2022 - 6:02 am

You can enable and manage access-based enumeration on a Win 10 shared folder using powershell.

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Configuring Windows Protected Print Mode (WPP)

    May 19, 2025
  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Managing Printers and Drivers on Windows with PowerShell
  • Protecting Remote Desktop (RDP) Host from Brute Force Attacks
  • How to Set a User Thumbnail Photo in Active Directory
  • Implementing Dynamic Groups in Active Directory with PowerShell
  • Match Windows Disks to VMWare VMDK Files
  • How to View and Close Open Files on Windows Server
  • Disks and Partitions Management with Windows PowerShell
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top