How to Map a Network Drive to Show only the Folders for which the User has Access

How to Map a Network Drive to Show only the Folders for which the User has Access

How to Map a Network Drive and Enable Access Based Enumeration

Drive mapping is a technique that is used to simplify the process of accessing shared folders from a local computer. In mapping, a drive letter is assigned to a shared folder, letting the folder be accessed as though it were a local drive.

However, in an organization, there may be instances where the users might need to view only the folders to which they have access. For example, if a shared folder consists of drives for every department such as Sales, IT, HR, and so on, an employee belonging to the Sales department does not need to view or access the IT folder. This is applicable for both security and usability reasons.

This article explains how to map a network drive using Access Based Enumeration, which can be configured using the Server Manager and by using PowerShell scripting.

What is Access Based Enumeration (ABE)?

Access Based Enumeration (ABE) displays only the files and folders to which the user has access permissions. The folder is hidden from the user’s view if they do not possess the Read or equivalent permissions for the same. This feature is applicable only for shared folders and not available for viewing files and folders in the local drive or file system. The main advantages provided by this feature are increased confidentiality and usability.

As folders can be hidden from users who do not access them, there is an additional level of security. Employees are given access to only the folders that are required for work and not any other folders or files. Besides an increase in security, the user experience is also improved. By not displaying the files and folders the user does not have access to, there is no distraction while searching for specific data. This also helps avoid confusions regarding which folders the user has access to. When all the folders on the shared drive are visible, the user tends to get confused as to which folders they can and cannot access, which ultimately has to be resolved by the IT administrators.

Mapping a Network Drive and Enabling Access Based Enumeration

Mapping a Network Drive                                                                              
The drive mapping can be performed using the following steps and then Access Based Enumeration can be enabled to show only the folders to which the user has access.
  1. Create a top-level folder that is going to be shared.
  2. Create sub-folders within the folder which will be shared with different users. For example, sub-folders for each department such as Sales, IT and HR can be created.
  3. Open the Server Manager and select the Properties of the top-level folder and navigate to the Advanced Sharing tab. Select the Share this folder option and enter the Share name.
  4. Navigate to Permissions and set the required permissions and save changes.
  5. In the Permissions tab, click on Add Select Principal and select This folder only from the Applies to drop-down list. Click on Show Advanced Permissions and select the required options and click OK > Apply.
  6. Create security groups that will be delegated the Read/ Write access to each folder.
  7. Delegate access to the folders and add the user to a security group that was granted modifies access.
  8. Enabling Access Based Enumeration
  9. Access Based Enumeration can be enabled by following the instructions given below.
  10. Open the Server Manager on the server containing the shared folder. This can be done by typing ServerManager on the Command Prompt or by launching it from the Start menu.
  11. Click on File and Storage Services from the left pane of the Server Manager console.
  12. Next click on Share from the left pane of the console.
  13. From the list, choose a network folder for which Access Based Enumeration needs to be enabled.
  14. Right-click on the chosen folder and select the Properties option.
  15. In the Share Properties dialog box, switch to the Settings tab.
  16. Select the Enable Access-based Enumeration option.
Access Based Enumeration using PowerShell

1. Access Based Enumeration can be configured using the following PowerShell command.
            Set-SmbShare -Name "Share" -FolderEnumerationMode AccessBased
2. The settings can be verified using the following command.
            Set-SmbShare -Name "Share" -FolderEnumerationMode AccessBased
3. All the local shares can be checked using the following command.
            Get-SmbShare | Select-Object Name,FolderEnumerationMode

In conclusion, Access Based Enumeration can be used to make the process of drive mapping more efficient by restricting access to users based on their access permissions. This helps both the users as well as administrators. However, the major drawback of this method is that it creates an additional load on the server which in turn impacts the performance of the server. Hence, this method must be employed after considering its capabilities and potential limitations. 
    • Related Articles

    • Restricting Access to Folders using Traverse Folder Permission

      How to Use NTFS Advanced Permissions to Restrict Access to Parent Folders Consider a scenario where the parent folder named A consists of child folders B1 and B2. The employees belonging to a certain group need to access only folders B1 and B2. Hence ...
    • How to block remote network access for local user accounts in Windows

      Introduction Local user accounts accessing other computers in the Active Directory (AD) network remotely may cause huge problems due to the security risk associated with the access privilege. The most commonly cited example is that if multiple user ...
    • How to copy files or folders to all computers using GPO

      Introduction There are several scenarios for when you would need to copy one or multiple files to select computers or all computers in a domain of an Active Directory (AD) network. For example, there might be a shared folder that everyone in the ...
    • How to Control USB Access on select Devices using GPO

      Enabling and Disabling USB access using Active Directory Group Policy Removable storage devices such as USB drives have gained widespread use and become an indispensable way for the storage of data. However, they also pose a threat to the security of ...
    • Using GPO to prevent access to desktop application

      Introduction Security breaches via unauthorized application access are a growing concern for system administrators. The challenge of mitigating such vulnerabilities, while ensuring that essential applications remain accessible, is intensified by the ...