Home / server / Questions / 450657
Accepted
Patrick Pellegrino
Asked: 2012-11-21 14:04:35 +0800 CST

How to setup NTFS ACL with Acces Based Enumeration

  • 772

We're in the process of migrating from Novell Netware to Windows 2K8 R2 infrastructure (AD, File server, print server... etc)

My question is about ACL. While Netware and Windows are totally different, I want to be sure my thnking is good before screwing everything up!

There's a scenario :

F:
|
+-- DATA <= Shared as DATA with Access based enumeration
     |
     +-- Folder 1
     +-- Team 1's Folder
     +-- Team 2's Folder
     ...

In that case, by default, rights are herited from the F: to the deepest folders.

What we want :

  • Administrators group have full control top - down.
  • From DATA, ABE list only folders that users have access. (ex. : I'm in group Team 2, I see Team 2's Folder).

From what I understand, at DATA I remove all NTFS ACL to be herited (ex. Users Group), be sure to keep Administrators Group and SYSTEM user.

After that, grant Full control (or any right needed) on each folder to Groups or Users that have to have access.

Does I'm wrong ? Anything I should take care of ?

Any help to my understanding will be very appreciated.

Regards.

windows-server-2008-r2

2 Answers

  1. Best Answer

    Correct.

    I tend not to grant users Full Control, though because I've had too many mess up the permissions. So I grant them all permissions, except the Take Ownership and Change Permissions permissions.

    And I'd probably advise setting up two groups for each folder you're granting access to: one for read-only access and one for modify access, since that tends to come up a lot in my experience, and the fewer people that can accidentally delete all the files, the less often I have to do restores from backup.

    • 4

  2. One thing I would definitely do is enable the limit of folder depth for which ABE applies. Without this limit, serious performance issues may occur. The actual appropriate limit can only be determined by you, an example for a depth of 3 is below. This requires an srv2.sys file version 6.1.7601.22055 or higher. 

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters]  
"ABELevel"=dword:00000003

    More information:

    High CPU usage on Windows Server 2008 R2 with ABE enabled
    http://support.microsoft.com/kb/2732618

    [...]
    The value of the above mentioned key is set as follows:
    Value = 0 : ABE is enabled for all levels (default behavior without key as well)
    Value = 1 : ABE enabled for depth of 1 (\server\share)
    Value = 2: ABE enabled for depth of 2 (\server\share\folder)
    And so on for multiple levels.

    • 4