Microsoft

Blog Categories

Subscribe to RSS feed

Archives

Using Access-Based Enumeration with Cluster Server

Background

Relatively new to Windows Server (starting with 2003 SP1) is a feature called Access-based Enumeration (ABE) which recursively hides files and folders in a share from user accounts that are not granted any permissions to those objects. Simply put, if a user doesn’t have at least Read access to it, they can’t even see it. If you’ve ever worked in a Novell NetWare environment you have probably seen this in action, as users will only see the data they have permissions to access on shared volumes in NetWare.

This feature is not all-too-often utilized in Windows file server environments, but is quite helpful when performing NetWare to Windows data migrations, as the end-result will look the same as what users have been accustomed to seeing for years.

For an excellent write-up on ABE and how it works, see the tech section of Mark Minasi’s Networking Tech Page, Issue #54.

Windows Cluster Server Solution

When attempting to use ABE in a Cluster Server configuration, it becomes readily apparent that upon fail-over of a File Share resource to another cluster node the previously enabled ABE functionality is lost. This is because the ABE ‘flag’ is not set enabled by default on a new share, and when a File Share resource is failed-over in Cluster Server, the new hosting node is essentially creating a new share.

The supported workaround is to create a new Generic Application resource for the cluster group and use the abecmd.exe command-line tool to automatically enable ABE after a failover condition.

Set the resource dependencies for the desired File Share resource (i.e. HOME1 File Share).

Configure the parameters using the command line format of:

cmd.exe /k abecmd /enable <sharename>

The /k allows cmd.exe to execute but not terminate, which is important as otherwise the Cluster Server would see this as a service failure and attempt to fail-over the Generic Application resource. Also confirm that “Allow application to interact with desktop” is not selected, as this will display and leave the cmd.exe window open on the server console.

Add-on Functionality

Also worth noting is that using NetShareSetInfo API, scripts and third-party tools can control ABE functionality. And because ABE is built-in to Server 2003 SP1 and R2 code, the ABEUI.msi does not even need to be installed on the file server, as that package simply installs the GUI and command-line interfaces. The MSDN Library specifies pointing to the SHARE_INFO_1005 structure and enabling a new flag: (#define SHI1005_FLAGS_ENFORCE_NAMESPACE_ACCESS 0×0800).

An example of this in practice is the Quest NDS Migrator application which includes the ability to enable or disable ABE on a target share using the Volume Mappings component:

Leave a Reply