Access Based Enumeration (ABE) is not working as desired. Cannot view sub-folders where user has access.
If a user knows the full UNC path to a file or folder that they have access to, they can type the full UNC path to the file/folder to view the contents even if they are not allowed to traverse the file structure due to lack of permissions.
ABE is designed to omit folders from the users view when accessing shared resources to which they do not have explicit/inherited access to.
If the user does not have access to the parent folder (within the shared resource), but does have access to a subfolder (due to explicit permissions), the user will not be able to view the subfolder.
- With ABE disabled, the user will receive an Access Denied when attempting to access the parent folder.
- With ABE enabled, the user will not see the parent folder and cannot see (and will not have access to) the subfolder.
To allow access (or availability) to subfolders when ABE is enabled (and the parent folder appears missing), appropriate permissions must be applied to the parent folders (above the desired subfolders to be viewed) to allow the said user to view and navigate to the desired subfolder.
The addition/modification of permissions may need to be considered pre-migration or post-migration (if using NDS Migrator to move data) to achieve the desired results.
Review the attched document "User Impact NDS Migrations Quest and Microsoft" pages 18 to 27 for further information on ABE and examples of its use.
For further information on ABE, refer Microsoft Article - "Windows Server 2003 Access-based Enumeration":