How to Configure Access Based Enumeration for Folder Visibility

Access Based Enumeration (ABE) in Windows Server hides files and folders that users don’t have access rights to, but for proper operation, permission inheritance must be configured correctly. The problem of folder visibility after revoking access rights usually occurs due to inherited permissions from parent directories that continue to provide basic read rights.

Table of Contents

• What is Access Based Enumeration and how it works
• Main reasons for folder visibility when access rights are removed
• Proper permission inheritance configuration
• Step-by-step ABE configuration through Server Manager
• ABE configuration through PowerShell
• Solving folder visibility issues in DFS
• Testing and troubleshooting ABE functionality

What is Access Based Enumeration and how it works

Access Based Enumeration (ABE) is a Windows Server feature that automatically hides files and folders from the shared folder listing if the current user doesn’t have access rights to these objects [source]. This feature works at the SMB protocol level and provides users with only the resources they actually have access to.

ABE works as follows:

• User requests a listing of the shared folder contents
• Server checks NTFS permissions for each object
• Only objects with read or enumerate rights for the user are returned
• Users don’t see objects they don’t have access to

Important: ABE protects the content, not the share itself. Even if a user sees a folder in the listing, they won’t be able to access it without proper permissions [source].

Main reasons for folder visibility when access rights are removed

The most common reasons why folders remain visible after access rights are removed:

1. Inherited permissions from the root directory

Permissions are inherited from the root directory system and provide the DOMAIN\Users group read rights. As a result, even after enabling ABE, all folders in the namespace remain visible to all domain users [source].

2. List contents rights

If users or groups retain List folder contents rights, folders will remain visible even if rights to access the contents are removed.

3. Permission inheritance not disabled

When creating the DATA_AUTH\USER1 folder, it inherits read rights from DATA_AUTH. Disabling inheritance doesn’t remove these permissions — they remain “grandfathered,” so USER_2_Group can still read them [source].

4. Permissions at the parent level

Users can see folders if they have rights to parent directories, even if rights to specific subfolders are revoked.

Proper permission inheritance configuration

For ABE to work correctly, permission inheritance must be properly configured:

Disabling inheritance at the folder level

For each folder that needs to be hidden from specific users:

1. Open folder properties
2. Go to the Security tab
3. Click Advanced
4. Uncheck “Inherit from parent the permission entries…”
5. Select “Remove all inherited permissions”

Setting explicit permissions

After disabling inheritance, set explicit permissions only for groups that should have access:

• Remove the DOMAIN\Users group from the permissions list
• Add only specific groups or users that need access
• Grant minimal necessary rights (Read, Write, etc.)

Example of correct permission structure

Folder Project_A:
- Group Project_A_Team: Full Control
- Group Domain Users: No permissions

Folder Project_B:
- Group Project_B_Team: Full Control  
- Group Domain Users: No permissions

Step-by-step ABE configuration through Server Manager

Enabling ABE on a shared folder

1. Open Server Manager
2. Select File and Storage Services → Shares
3. Select the desired shared folder
4. Open folder properties
5. Go to the Settings tab
6. Check Enable access-based enumeration
7. Click Apply and OK [source]

Verifying ABE configuration

After enabling ABE, test the function:

1. Connect to the shared folder as a user without access rights
2. Verify that only accessible folders are visible
3. Try to access hidden folders — access should be denied

ABE configuration through PowerShell

Enabling ABE for an existing shared folder

Set-SmbShare -Name "Data" -FolderEnumerationMode AccessBased

Checking current folder enumeration mode

Get-SmbShare | Format-Table Name, FolderEnumerationMode

Disabling ABE

Set-SmbShare -Name "Data" -FolderEnumerationMode Default

Bulk configuring ABE for multiple shares

Get-SmbShare | Where-Object { $_.Path -like "*Projects*" } | 
    Set-SmbShare -FolderEnumerationMode AccessBased

Solving folder visibility issues in DFS

Configuring ABE for DFS namespaces

1. Open DFS Management
2. Select the namespace
3. Right-click → Properties
4. On the Advanced tab, check Enable access-based enumeration
5. Click OK [source]

Automating ABE configuration in DFS

To automate ABE configuration on DFS links, you can use the following PowerShell script:

# Dfs-SetLinkACEsToTargetACEs.ps1
# Automating Access-Based Enumeration for DFS links

Param (
    [Parameter(Mandatory=$true)]
    [string]$DfsRootPath
)

Get-ChildItem $DfsRootPath | ForEach-Object {
    $DfsTargetPath = $_.FullName
    $AccessGrant = @()
    $AccessDeny = @()
    
    (Get-Acl $DfsTargetPath).Access | ForEach-Object {
        # Process permissions for ABE
    }
}

Permission inheritance issues in DFS

In DFS environments, folder visibility issues often occur because:

• Permissions are inherited from the system root directory
• Users get read rights from DOMAIN\Users
• Even after enabling ABE, all folders remain visible [source]

The solution is to disable inheritance and set explicit permissions at each level of the DFS structure.

Testing and troubleshooting ABE functionality

Checking effective access rights

Use the effective access tool to check user rights:

1. Open folder properties
2. Go to the Security tab
3. Click Advanced
4. Select a user and click Effective Access
5. Verify that the user has no rights to hidden folders

Testing with different users

Test ABE with different user accounts:

• User with access rights: should see all allowed folders
• User without access rights: should only see allowed folders
• User with partial rights: should only see folders with available permissions

ABE event logging

For debugging, enable verbose event logging:

1. Open Event Viewer
2. Go to Applications and Services Logs → Microsoft → Windows → SMBServer
3. Set logging level to Verbose
4. Monitor file access-related events

Common issues and their solutions

Conclusion

Access Based Enumeration is a powerful tool for enhancing file server security, but its proper configuration requires attention to permission inheritance details. Key points for successful configuration:

1. Always disable permission inheritance on folders that need to be hidden from specific users
2. Remove the DOMAIN\Users group from permissions lists at folder levels
3. Set explicit permissions only for groups that actually need access
4. Test ABE with different user accounts after each configuration
5. Use effective access rights to verify settings

To solve the problem of folder visibility after revoking access rights, it’s necessary to thoroughly check and reconfigure permission inheritance, disabling it at the level of problem folders and setting explicit permissions only for authorized groups.

Sources

1. Access Based Enumeration: How to Enable ABE for Windows Server - Tenfold Security
2. Enable Access-based Enumeration on a Namespace - Microsoft Learn
3. Using Inherited Permissions with Access-based Enumeration - Microsoft Learn
4. Enable Access-based Enumeration (ABE) on Shared Folders (SMB) - Windows OS Hub
5. Configure Access Based Enumeration on Windows Server 2016 – TheITBros
6. Display only Folders that a User has Access: Configuring Access Based Enumeration on Windows Server 2012/2016 - SID-500
7. What am I doing wrong? access-based enumeration not working with share-subfolders - Server Fault
8. How to hide folders from local Administrators using Access-based Enumeration? - Super User
9. How to work with Access-Based enumeration in Dfs? - Server Fault
10. Access based Enumeration NOT working - Microsoft Q&A