Clustering with Access-Based Enumeration (Part 1)

Tags: Clustering, Windows Server

Access-Based Enumeration is a rather cool add-on to Windows Server 2003 that allows an administrator to restrict what users can see on a file share. If Access-Based Enumeration is enabled for a share, a user can see only the files and folders to which they have access. This can help reduce support calls from users, eg "Why do I get this Access Denied error on the Finance folder?" and make it simpler for users to access the data they need.

For example, here's the view of an ABE-enabled share for an Administrator. A finance user on the other hand will see a different view, and a normal user will see an even more restricted view.

Now that all works fine on a single server without any further effort on the administrator's part.

When you enable ABE on a clustered file share, it will all appear to work just fine until the file share is failed over to another node. When this happens the file share will no longer be ABE-enabled, and the share will revert to the standard Windows 2003 behaviour. To get around this, we write a VBScript application and register it as a cluster resource within the appropriate cluster group.

Here's a script that does exactly this - note that it assumes ABECMD.EXE is available on the cluster drive (in this case, H:\) and that the share is called ABEShare: 

Function Online( )
  on error resume next
  ' Call the ABECMD.EXE /Enable command for each share
  Set oShell = CreateObject("WScript.Shell")
  oShell.Run "H:\ABECMD.EXE /enable ABEShare", 1, true
  if (Err.Number <> 0) then
    Online = 1
  end if
  Online = 0
End Function

Function LooksAlive( )
  LooksAlive = True
End Function

Function IsAlive( )
  IsAlive = True
End Function

The version 1 script above is sufficient to re-establish Access-Based Enumeration on a clustered file share after failover. Microsoft recommends not placing the script files on the cluster disk, but for this type of script I think placing it on the cluster disk is acceptable. You may choose to store the script in the same location on each cluster node; but I'm not entirely convinced that the stated benefits outweigh the disadvantages in managing the script (replication etc). YMMV.

Implementing is simple. Add a new resource to the cluster group of type Generic Script. Your Possible Owners for the new resource should include all nodes on which the ABE share must be available. Set the script to be dependent on the File Share resource, and set the Script filepath to be the full path (H:\ABEShare.VBS) to the VBS file. When you being the resource online, the share will become ABE-enabled.

The script above has some limitations, the most glaring of which is that if an Administrator disables ABE (either using the command-line tools, or the Windows Explorer interface) the cluster will not know about it. 

In part 2 I'll expand on the VBScript above and describe some improvements that allow the script to report the true status back to the cluster Resource Monitor.

No Comments