This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 20%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
I am inheriting a file server where permissions are all over the place and not consistent across the board. Where people have access to things they should have, or vice versa. I've done a little clean-up here and there as issues have arisen. But now I am going full-on steam ahead to really clean it up.
Unfortunately, I am running into an issue that I am not sure how to resolve, and I need to figure it out.
We have our file server. On it, we have obviously the system drive, and then a separate drive that we store all the shared folders and files on.
My problem is basically this. At minimum, a basic user can at least read and execute any file anywhere on the shared drive. I can just navigate to \fileserver and see all of our department shares, and all of the user shares.
I have tried mitigating that, but it just causes EVERYONE'S access to break. Our current structure is thus
\fileserver\departments
\fileserver\userfiles
\fileserver\uniquedrives
The trick is that I want someone who has access to \fileserver\departments\HR to not see anything that is in \fileserver\departments\IT and vice versa.
If someone navigates to \fileserver\departments, they may see the individual department shares, but they can only enter their respective department share.
If someone navigates to \fileserver\uniquedrives, they may see the individual shares in there, but they can only access the folders/shares they have access to.
If someone navigates to \fileserver\userfiles, I don't want them to see anything except their OWN folder. You can't see anyone else's folder.
Problem is, I don't know where the hiccup lies. I've tried creating individual shares using the share wizard, but I don't like it's structure. It wants to put every share on the root of our fileserver, so that \fileserver\departments\hr actually reads as \fileserver\HR rather than it's actual location.
What am I missing?
I did some more digging, and discovered the issue lies in the fact that the server's local users group had access to everything as well, and this breaks ABE. I had to remove that group from all the shared folders and files in order for ABE to work properly. Thanks.
Sounds like you need to implement access based enumeration.
Access Based Enumeration is Enabled. I've checked
Hi
Check out MotoX80’s answer and try configuring Access-Based Enumeration.
Also learn more about Access-Based Enumeration: https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/access-based-enumeration-abe-concepts-part-1-of-2/ba-p/400435
Please feel free to let us know if you need further assistance.
Best regards.
Access Based Enumeration is already enabled. I've checked.