No announcement yet.

Access Based Enumeration and Common (All users) Folders

  • Filter
  • Time
  • Show
Clear All
new posts

  • Access Based Enumeration and Common (All users) Folders

    Just figured this out, and I'm worried there might be some huge flaw in this I didn't consider, so any thoughts on it let me know:

    So this is how you can redirect shell folder (such as Common/All Users Programs) to a share off the Local server. Why do this? Since the folders are technically being viewed by a share now, you can take advantage of Access Based Enumeration (Available in 2008 by default, or as an add in on 2003) to show or hide programs by changing the NTFS Permissions. Access Based Enumeration means users simply do not see files or folders they do not have. To me it just seems easier than disabling the all users folder and maintining several folders for diffrent groups.

    Browse to c:\Documents and Settings\All Users\ (On 2003) or C:\ProgramData\Microsoft\Windows\Start Menu\Programs (2008 ) and Share the folder as Programs$ with Administrators full control, and Authenticated Users Write share level permission.

    On this folder block NTFS Inheritance. Set Local Administrators & System to full control to this folder and subfolders. I would also recommend creating a group called “Profile_Troubleshooting” and giving it Read and Execute – this would be a group you can add users to access setting that may normally be denied invisible.

    Manually Set NTFS settings on The Sub Folders or individual program links, for each what groups or user should be able to see them. I have yet to do this in production, but I belive this should keep people who are not added from even seeing the folders or links they aren't suppored to run.

    Open Regedit and change the value of “Common Programs” to \\machinename\programs on all of the following keys. Where machinename is substitute the FQDN of the server.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Shell Folders
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\User Shell Folders
    If the machine is running x64, then also set it in the following keys
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ Windows\CurrentVersion\explorer\Shell Folders
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ Windows\CurrentVersion\explorer\User Shell Folders

    In this example I am referring to Common Programs, but with minor adjustments this could apply to any of the other Shared folders:
    Common AppData
    Common Desktop
    Common Documents
    Common Programs
    Common Startup
    Common Templates
    Common Music
    Common Video
    Common Pictures

    **Note, this is not meant to take over for Software restriction policies, it more meant to hide elements from the resticted end users.
    Last edited by Wired; 13th January 2011, 17:01. Reason: fixed formatting