Access-based Enumeration

Updated: June 15, 2011

Applies To: Windows Server 2008

Access-based enumeration displays only the files and folders that a user has permissions to access. It is a feature that was previously available as a downloadable package for the Windows Server® 2003 operating system (it was also included in Windows Server 2003 Service Pack 1). Access-based enumeration is now included in the Windows Server 2008 operating system, and you can enable it by using Share and Storage Management.

What does access-based enumeration do?

Access-based enumeration displays only the files and folders that a user has permissions to access. If a user does not have Read (or equivalent) permissions for a folder, Windows hides the folder from the user’s view. This feature is active only when viewing files and folders in a shared folder; it is not active when viewing files and folders in the local file system.

Who will be interested in this feature?

  • IT administrators who want to control which files and folders are visible to network users

  • IT administrators who want to control the user's experience

For example, if you enable access-based enumeration on a shared folder that contains many users’ home directories, users who access the shared folder can see only their personal home directories; other users’ folders are hidden from view.

What existing functionality is changing?

Microsoft made the following changes to the functionality of shared folders to enable the use of access-based enumeration:

Windows Explorer enables access-based enumeration on shared folders by default

On a computer that is running Windows Server 2008, access-based enumeration is enabled by default on every folder that is shared by using the File Sharing feature. (This is the default sharing feature that is available through Windows Explorer).

However, access-based enumeration is not enabled by default on the following types of shared folders:

  • Shared folders that are created with Share and Storage Management, Advanced Sharing in Windows Explorer, or the net share command

  • Volumes

  • Folders or volumes that are shared for administrative purposes, such as C$ and ADMIN$

Access-based enumeration can be enabled or disabled by using Share and Storage Management

Access-based enumeration can be manually enabled or disabled on individual shared folders and volumes by using Share and Storage Management. This snap-in is available after a folder or volume has been shared. You can access Share and Storage Management in the File Services server role in Server Manager, and in Administrative Tools. You can also install it manually in Server Manager by adding the File Server role service to File Services.

There are two ways to enable and disable access-based enumeration by using Share and Storage Management:

  • Share a folder or volume by using the Provision a Shared Folder Wizard. If you select the SMB protocol on the Share Protocols page of the Provision a Shared Folder Wizard, the advanced settings options on the SMB Settings page includes the option to enable access-based enumeration on the shared folder or volume. (To see the advanced settings options, on the SMB Settings page of the wizard, click Advanced).

  • Change the properties of an existing shared folder or volume. To change the properties of an existing shared folder or volume, on the Shares tab of Share and Storage Management, click the shared folder or volume, and then click Properties in the Action pane. The information under Advanced settings displays whether access-based enumeration is enabled. Click Advanced and then select or clear the Enable access-based enumeration check box.

Additional references