There is something that has always annoyed me about the way windows shares are displayed to a user – they get to see all of them!

Yes I know about putting a $ after the share, such as c$, or admin$, but what about those shares that the president of the company wants to have – and doesn’t want his employees to even know that they exist?

Finally Microsoft has put out a utility to fix this.


It is called “Access-based Enumeration”. It is only available for Windows 2003 SP1.
Here is a typical shared folder with a few folders beneath it. The user does not have permissions to the Microsoft folder however it still appears.

Once you start the Microsoft Access-based Enumeration installation, you get asked a simple question:

If you select all, then access based enumeration will be enabled for all current shares on the system – otherwise you will need to set them each individually.

Once the install is finished, a new tab appears when looking at the properties of a share:

When enabled, Access-Based Enumeration will hide the folders and files underneath a share when the user who is mapped to the share has no permissions to read them. This is a security friendly and end user friendly feature, if you don’t have permissions to see it you shouldn’t and if you don’t need to see it you won’t!

Too bad they don’t have this type of functionality for 2000, or 2003 without SP!

The official download page for Microsoft Access-based Enumeration is located here:
Microsoft Access-Based Enumeration