#ABE activation feedback

Hello,
I'm testing the ABE (Access-based-enumeration) on a SVM, and I can see the following issues for NAS Admin with ABE enabled :

• NAS Administrators can no longer use the "Shared folder" windows' mmc in order to see/modify the shares'ACLs of the SVM

• NAS Administrators can no longer use the rmtshare commands on a Windows server in order to see/modify the shares'ACLs of the SVM

the NAS Administrators are in an AD group that is a member of the "BUILTIN\Administrators" group of each SVM

(ex : vserver cifs users-and-groups local-group add-members -vserver TESTSVM -group-name BUILTIN\Administrators -member-names AD\NASAdminGroup)

this AD Group has access using c$ share, but we don't give any share access to this group on each cifs share.

(ex : vserver cifs users-and-groups local-group add-members -vserver TESTSVM -group-name BUILTIN\Administrators -member-names AD\NASAdminGroup)

this AD Group has access using c$ share, but we don't give any share access to this group on each cifs share.
without ABE, this group can see/list all shares using windows explorer and can manage the shares using windows MMC or rmtshare
with ABE enabled at the SVM level, this group cannot see any shares and cannot manage them using MMC or rmtshare

I see, that I can resolve this by adding a permission this group to each cifs share created, but I wonder, if there is a simple way..

on the KB : https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/How_does_Access_Based_Enumeration_ABE_work

It is said "If user is a member of local admin (on SVM) then they will be able to see the shares." but it's not the case if ABE is activated at the SVM (on 9.12.1) using :

vserver cifs options modify -vserver TESTSVM -is-share-enum-permission-check-enabled true

Do you have some real life feedback regarding ABE activation, or others issues like this ?

I don't know much about windows but I was asked to enable ABE by the people who do know, and it created a huge spike in directory IOPS and slowed the clients down. Many access denied traffic in the .PCAP dumpin when a client tried to look into it. It wasn't a NetApp issue but rather how our some of our desktop clients were configured. Not sure what happened, haven't had time to debug root course of it. Possible because of 20K of user directories. I will have to test it before activating it again if anyone requests.

Windows users that are used to seeing everything will complain that things "have been deleted" if one decides one day to enable ABE. Seeing shares isn't really a problem (and you can disable "browsable" on individual shares). If you have your filesystem rights in order, then access to the underlying filesystem is denied anyway for those without permissions.

using cifs home-directory functionality basically removes visibility for general users. If you start right and add a "mount point" volume between the user volumes and the /, then you can add a group for administrating home-directores, or just make that same group a local admin group on that SVM (having a separate SVM for home-directories allows such flexibility)