In addition to playing Portal 2 (good work, Valve guys!), I have been doing that some of thing called “work”. Today I decided to get back to the question of whether it is possible to enable and disable the Windows file server feature known as “Access Based Enumeration” (or “ABE”) from the command line.
Documentation suggests “yes”, that this is possible, using a tool known as “abecmd.exe”. Unfortunately, I can find no evidence that such a tool exists on Server 2008 R2. Curious… under Server 2003 R2 you needed to use the command line to enable ABE. Now under 2008 R2, you cannot (easily) use anything other than the GUI. Also interestingly, the only GUI that supports enabling ABE is the “Share and Storage Management” MMC that is included with “Server Manager” (the old “Shared Folders” MMC does not have this feature, and neither does the “Sharing” tab in Windows Explorer). It gets even better… if you create a share from the command line using “net share”, ABE is not enabled on the share. WTF? I thought Microsoft was supposed to be reducing the number of features that require the GUI, not ramping them up.
Of course, the ABE flag can be set using the NetShareSetInfo function of the netapi32.dll. However, using these older dlls in PowerShell is a touch more complicated than I care to deal with on a daliy basis. Have gander at this code:
Yuck! (No insult to the code intended… I just mean that I should not have to deal with this to perform basic share admin tasks!)
Fortunately, Bill Steward over at Windows IP Pro has taken mercy on us:
Here he provides a small executable called “ShareABE.exe”, with source code, that will show and set ABE status on a server share.
I sure hope that Window Server “8” includes a new .NET assembly for file and print server management. These old APIs are a real pain in the keister.