How to hide folders from local Administrators using Access-based Enumeration?

Question

We are using now Access-based Enumeration inside our AD server. It is very cool: share ONE folder and set the permissions and "BOOM!" works. But I have noticed that local Administators are seeing the folders that they don't have access to. How can I avoid that?

Local administrators, in our case, are privileges just given to certain people (ordinary users non-IT like managers and our IT trainees). Even they not having access to the contents, the list of folders is big and some users get confused.

I running Windows Server 2012 R2.

Answer 1

Access-based enumeration works as follows as explained on TechNet:

Access-based enumeration displays only the files and folders that a user has permissions to access. If a user does not have Read (or equivalent) permissions for a folder, Windows hides the folder from the user’s view. This feature is active only when viewing files and folders in a shared folder; it is not active when viewing files and folders in the local file system.

You can view the effective access of those users that you don't want to be able to see certain folders by doing the following on the server hosting the shared folder containing the folders which you want to hide using Access-based enumeration:

1. Right-click the folder that should not be visible to the user and choose Properties
2. On the Security tab click Advanced
3. Go to the Effective Access tab
4. Click Select a user then type the name of the user in the dialog box and click OK
5. Click View effective access. If the user has the **List folder / read data ** permission, then they will be able to see the folder even with ABE enabled:

If the user(s) in question do have unwanted access to the folder, review their permissions for the folder to determine how the user is getting them.