Traverse a folder without permission?
I have been working with windows permissions for over 10 years now and though I knew what I was doing until now.
I seem to now be able to connect to a share path where I have no access to the root of the share or intermediate folders but do at the lower level folders. I always though I needed the traverse folder permission to do this but apparently not. Let me explain
I have created a share \\server1\data
The share permission is full control and the NTFS permissions are full control for admins and system. Inheritance is blocked on the data folder
I then create sub folders \\server1\data\L1\L2\L3
the sub folders are inheritning permissions from the Data folder. I now grant "testuser" read/write(modify) access to the L2 folder.
From a PC "TestUser" can do the following
\\server1\data - Access Denied
\\Server1\data\L1 - Access Denied
\\Server1\data\L1\L2 - Access granted
Bearing in mind that I have not granted "Testuser" any traverse rights to the data or L1 folders, why can "TestUser" access L2 and L3? Is there a technet article explaining this anywhere?
Re: Traverse a folder without permission?
I can't see how that is possible. What are the permissions for L1 and L2?
Does testuser have "List" at Data and L1? If they can't get into Data then
how can they even see the sub folders?
Re: Traverse a folder without permission?
Check the Group Policy Setting (or the local policy setting using gpedit.msc
if not in a domain):
Computer Configuration
[Policies - this level is present only on Windows Server 2008)
Windows Settings
Local Policies
User Rights Assignment
Bypass traverse checking
Here's the "Explain" text:
This user right determines which users can traverse directory trees even
though the user may not have permissions on the traversed directory. This
privilege does not allow the user to list the contents of a directory, only
to traverse directories.
This user right is defined in the Default Domain Controller Group Policy
object (GPO) and in the local security policy of workstations and servers.
Default on workstations and servers:
Administrators
Backup Operators
Users
Everyone
Local Service
Network Service
Default on domain controllers:
Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access
Re: Traverse a folder without permission?
Indeed it is the local security policy setting "bypass traverse checking" on the servers which is applying this to the folders. I never knew this was set by default to the everyone group on the local policy.
That said I never new the local security policy also applies logon local rights to the users group on 2003 server until an audit.
Thanks Bruce. Thats one headache gone, now to figure out why some of my laptops hung whilst installing software....
Re: Traverse a folder without permission?
Happy to shed light! The defaults that apply if the setting is not
"defined" are usually documented in the Help for each setting.
Re: Traverse a folder without permission?
List Folders will enable people to navigate through the tree.
Traverse is the right to pass-through to the destination, without the right
to read anything (including folder name)
Re: Traverse a folder without permission?
Sure. List folders + Traverse is the poor man's version of ABE, or at least
the Windows version before R2. Let us know if you have any problems with it