How to Configure Folder Visibility with Access Based Enumeration

Access Based Enumeration (ABE) automatically hides folders that users do not have access rights to. To resolve folder visibility issues, you need to properly configure NTFS permissions, clear cached permissions, and verify permission inheritance. For ABE to work correctly, users must have “List Folder Contents” permissions for all directories from the root to the target folder.

Contents

• What is Access Based Enumeration
• Configuring ABE in Server Manager
• Configuring ABE via PowerShell
• Configuring ABE via GPO
• Common Issues and Solutions
• Setting Up Permissions for Proper ABE Operation
• Clearing Cache and Restarting
• DFS-Specific Features
• Verification and Testing

What is Access Based Enumeration

Access Based Enumeration (ABE) is a Windows Server feature that hides files and folders that users do not have access rights to. Instead of displaying the complete contents of a share, users only see the folders and files for which they have corresponding permissions.

Important: By default, ABE is disabled and must be explicitly enabled for each share.

According to official Microsoft documentation, ABE plays a critical role in ensuring data privacy by guaranteeing that users only see files and folders they have access rights to.

Configuring ABE in Server Manager

To enable ABE through the Server Manager graphical interface:

1. Open Server Manager on your Windows Server
2. Select the File and Storage Services role
3. Navigate to the Shares section
4. Find the desired share and right-click on it
5. Select Properties
6. Go to the Settings tab
7. Check the box for Enable access-based enumeration
8. Click OK to apply the changes

As explained in the Windows OS Hub article, this method is the simplest for quickly enabling ABE on individual shares.

Configuring ABE via PowerShell

To manage ABE through PowerShell, use the Set-SmbShare cmdlet:

Set-SmbShare -Name "ShareName" -FolderEnumerationMode AccessBased

To check the current folder enumeration mode:

Get-SmbShare | Format-Table Name, FolderEnumerationMode

To return to standard mode:

Set-SmbShare -Name "ShareName" -FolderEnumerationMode AccessBased

As demonstrated by TheITBros, this method is particularly useful for automating deployment and management of multiple shares.

Configuring ABE via GPO

For mass deployment of ABE in a domain, use Group Policy Objects:

1. Open the Group Policy Management Console (gpmc.msc)
2. Create a new GPO or edit an existing one
3. Navigate to: Computer Configuration → Preferences → Windows Settings → Network Shares
4. Create a new Share item
5. In the share settings, enable the Access-based enumeration option
6. Apply the GPO to the desired OUs with servers

As noted in the Tenfold Security article, this method allows centralized management of ABE across all domain servers.

Common Issues and Solutions

Issue: Folders are visible but inaccessible

When a user can see a folder but cannot access it, this typically means:

1. Permission inheritance: The folder may be inheriting permissions from parent directories
2. Cached permissions: The system is using cached permission data
3. List rights: The user has “List Folder Contents” rights for intermediate folders

Solution:

1. Disable permission inheritance for the problematic folder:

   • Right-click on the folder → Properties → Security → Advanced
   • Click Disable inheritance → Convert inherited permissions to explicit permissions

2. Remove unnecessary permissions explicitly:

   • In the Permissions section, remove groups or users who should not have access to the folder
   • Save the changes

As explained on Server Fault, disabling inheritance and explicitly managing permissions often resolves folder visibility issues.

Setting Up Permissions for Proper ABE Operation

For ABE to work correctly, users must have “List Folder Contents” permissions for all directories from the root to the target folder:

1. Ensure users have “List Folder Contents” for parent folders
2. Disable permission inheritance for final folders if necessary
3. Explicitly assign permissions only to groups that need access

Important: If a user does not have “List Folder Contents” rights for any intermediate folder, ABE will not work.

As pointed out by Tenfold Security, this is a critical aspect of ABE configuration that administrators often overlook.

Clearing Cache and Restarting

After changing permissions, cache clearing may be required:

1. Clear Kerberos cache:

   cmd

   klist purge
   

2. Restart the client:

   • Completely close and reopen File Explorer
   • Or restart the user’s computer

3. Restart services on the server:

   powershell

   Restart-Service LanmanWorkstation
   Restart-Service LanmanServer
   

As noted by users on Reddit, clearing the Kerberos cache (klist purge) often resolves issues with cached permissions.

DFS-Specific Features

When working with DFS Namespaces, ABE configuration has specific features:

1. Enable ABE in DFS Management:

   • Open DFS Management
   • Right-click on the namespace → Properties
   • Check the box for Enable access-based enumeration

2. Configure permissions on each server:

   • ABE requires configuring permissions on automatically created folders on each namespace server
   • Permissions are not automatically replicated between servers

As noted in the Reddit article, for DFS, you must explicitly modify NTFS permissions on the folder structure automatically created on each namespace server.

Verification and Testing

After configuring ABE, perform the following checks:

1. Check effective permissions:

   • Right-click on the folder → Properties → Security → Advanced
   • Click Select a user → enter the username → Check

2. Test with different accounts:

   • Log in as a user who should not have access
   • Check folder visibility in File Explorer
   • Verify that inaccessible folders are indeed hidden

3. Use different access methods:

   • Via NETBIOS server name
   • Via server FQDN
   • Through UNC path

As explained in Microsoft Q&A, it’s important to check effective permissions rather than just explicitly set permissions, as ABE is based on the user’s final permissions.

Sources

1. Microsoft Learn - Enable Access-based Enumeration on a Namespace
2. Windows OS Hub - Enable Access-based Enumeration (ABE) on Shared Folders
3. TheITBros - Configure Access Based Enumeration on Windows Server 2016
4. Tenfold Security - Access Based Enumeration: How to Enable ABE for Windows Server
5. Server Fault - Access-based enumeration not working with share-subfolders
6. Reddit - Access Based Enumeration is ignored when accessing new server unless by FQDN
7. Microsoft Q&A - Access based Enumeration NOT working

Conclusion

To properly configure folder visibility with Access Based Enumeration enabled, you need to:

1. Enable ABE on the share through Server Manager, PowerShell, or GPO
2. Properly configure NTFS permissions, disabling inheritance for sensitive folders
3. Ensure “List Folder Contents” rights for intermediate directories
4. Clear the Kerberos cache after changing permissions
5. Restart client systems to apply changes
6. Check effective permissions for all users

If the issue persists after these steps, test with different access methods (NETBIOS vs FQDN) and ensure that DFS has appropriate permissions configured on each namespace server.