Problem solve Get help with specific problems with your technologies, process and projects.

Controlling Access-based Enumeration with Group Policy

The addition of Access-based Enumeration to the latest Windows Server 2003 server pack shows that Microsoft has finally jumped on the security bandwagon. Expert Derek Melber explains how the feature can be controlled using Group Policy.

The last article I wrote was on Access-based Enumeration (ABE). This is a revolutionary new feature that Microsoft...

has added to the latest Windows Server 2003 service pack. Although not that revolutionary for network operating systems, this feature shows that Microsoft finally has jumped on the security bandwagon. In this article, I will quickly review what ABE is and why it is so important. I also will go into detail about how you can control ABE -- and the shares it controls -- centrally with Group Policy.

Recap of ABE

ABE is the technology built into Windows Server 2003 Service Pack 1 that provides the administrator of a resource control over who can see shared folders and files. In essence, the goal of ABE is to keep users from seeing the files and folders to which they don't have access.

This is ideal for any organization that wants to hide files or folders under share points. If the user is omitted from the access control list (ACL) or is specifically denied the ability to read or list the resource, the file or folder will not be visible when browsing the shared folder resources in Windows Explorer. For HR-related resources, medical organizations, highly secure organizations or any organization that benefits from denying visible access to resources based on the ACL, ABE is an ideal solution.

Centralizing shares and ABE with Group Policy

For years, the Active Directory community has wondered when there would be additional breakthroughs for controlling server environments using Group Policy. The ability to control User Rights, Services and Local Groups with Group Policy has always been there, but it seemed like other features were missing.

Thanks to DesktopStandard Corp.'s new PolicyMaker Share Manager, the wait is over. Share Manager provides a centralized and easy-to-configure policy to control both shared folders and whether or not those shares will be configured with ABE.

PolicyMaker just adds nodes within the Group Policy Object Editor (GPOE) with the new Server Settings|Network Shares node.

The policy is very simple, offering you all of the required settings to control shares on a server, including:

  • Share name
  • Folder path
  • Hidden shares control
  • Administrative shares control
  • User limits

The creation and control of shares through this policy is very easy to configure. The ABE settings are just as easy.

Remember when using ABE, you must be configuring a Windows Server 2003 Service Pack 1 computer -- this is the only operating system that can provide this access and control. The client or system viewing the share does not matter; it simply depends on the target server.


ABE seems like a revolutionary technology for Microsoft IT professionals. It has been a long-awaited and needed feature. Now that it is so simple to configure on the share itself, it is also just as simple to configure using Group Policy. With PolicyMaker's Share Manager, you are given control over shares and the share properties such as ABE. With a good Active Directory design, deployment and management of shares has become more than just routine, it has become nearly obsolete. Group Policy is a perfect mechanism to control shares and the shared folder options.

Derek Melber, MCSE, MVP, and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore. He also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at [email protected].

Dig Deeper on Windows systems and network management