Access-based Enumeration – Part 3

The GUI and the Commandline-Tool including the Whitepaper for Access-based Enumeration are finally available for some time. I wanted to blog this earlier, but have been busy and ill.


Back to ABE: There are three different Versions for i386, x64 and ia64. Downloads for all versions are available on the Microsoft Download Center: Windows Server 2003 Access-based Enumeration.


After you downloaded it, you need to install the package on a Windows Server 2003 with SP1. Afterwards you’ll recognize an additional Tab named “Access-based Enumeration” on the properties of a shared folder in Windows Explorer. Note that you won’t see this additional tab if you just enabled sharing on the folder. Close the properties of the folder and reopen it to see the tab. Now looking on the Access-based Enumeration-tab you can select whether to enable/disable ABE, and if you want to apply that setting to all shared folders on the current computer.



Additional to the tab the ABEUI.msi there’s a Whitepaper installed in your Program Files\Microsoft Corporation\Windows Server 2003 Access-based Enumeration-Folder. And the third component of the installation is the Commandline-Tool ABECMD.exe. It takes the parameters /enable and /disable to configure a shared folder using ABE or not, the parameter /server for remote administration and /all to specify all shared folders on a server.



Now the most important part: If you don’t want to do a full install of all components on every Server where you like ABE (why would you want the whitepaper sitting on every server) you are able to install the GUI-Tab or Commandline-Tool separately as well: you can just copy ABECMD.exe from the %windir%\system32-Folder to the servers where you want it. If you want the Tab you need to copy ABEUI.dll and run the following command to register it:


regsvr32 %windir%\system32\abeui.dll



Remember that you need the Service Pack 1 for Windows Server 2003 to finally get Access-based Enumeration.

8 Responses

  • Ulf – are You sure thath it should be this command ?

    regedit32 %windir%\system32\abeui.dll

    To register the dll You should use regsvr32.exe command.

  • Hi Tomasz,

    thanks you very much – made an typo. I’ve corrected it.

    Ulf

  • I have windows server 2003 with Sp1 and ABE instastalled. I’ve activated on the server but i can still see the share from a client even though i don’t have access to it.

  • Anyone tried this in a cluster? When my share(s) failover to the other node, I keep losing the ABE setting. The properties of the share resource in the resource group dont allow me to set anything about ABE.

    Is here someone who can verify this?

  • I can confirm the behaviour noted on fail-over clusters. The cluster service is not aware of the property and it does not re-initialize after a resource (shared folder) is moved to a different node. The only option that I can envision at this time a some sort of minitoring job that would reset ABE on the share when it moves to a new node in the cluster.

  • Hi Kees-Jan and netmarcos,

    Ward Ralston from the Windows Server Devision just published a solution for your issues on http://blogs.technet.com/windowsserver/archive/2005/07/06/407385.aspx.

    HTH, Ulf

  • Even I have windows server 2003 with Sp1 and ABE instastalled. I’ve activated on the few shares but i can still see the share from a client even though i don’t have access to it

  • Hello Swami,

    sorry for getting back so late – comment notification does not work “currenty”.

    ABE won’t hide shares, it just hides it’s content for non-admins who do not have read access to the specific folders or files. Check out my other blog posts about ABE which demonstrate what to expect.

Leave a Reply