Results 1 to 8 of 8

Thread: Traverse a folder without permission?

  1. #1
    Join Date
    Feb 2009

    Traverse a folder without permission?

    I have been working with windows permissions for over 10 years now and though I knew what I was doing until now.
    I seem to now be able to connect to a share path where I have no access to the root of the share or intermediate folders but do at the lower level folders. I always though I needed the traverse folder permission to do this but apparently not. Let me explain

    I have created a share \\server1\data
    The share permission is full control and the NTFS permissions are full control for admins and system. Inheritance is blocked on the data folder

    I then create sub folders \\server1\data\L1\L2\L3
    the sub folders are inheritning permissions from the Data folder. I now grant "testuser" read/write(modify) access to the L2 folder.

    From a PC "TestUser" can do the following
    \\server1\data - Access Denied
    \\Server1\data\L1 - Access Denied
    \\Server1\data\L1\L2 - Access granted

    Bearing in mind that I have not granted "Testuser" any traverse rights to the data or L1 folders, why can "TestUser" access L2 and L3? Is there a technet article explaining this anywhere?

  2. #2
    AllenM Guest

    Re: Traverse a folder without permission?

    I can't see how that is possible. What are the permissions for L1 and L2?
    Does testuser have "List" at Data and L1? If they can't get into Data then
    how can they even see the sub folders?

  3. #3
    Bruce Sanderson Guest

    Re: Traverse a folder without permission?

    Check the Group Policy Setting (or the local policy setting using gpedit.msc
    if not in a domain):

    Computer Configuration
    [Policies - this level is present only on Windows Server 2008)
    Windows Settings
    Local Policies
    User Rights Assignment
    Bypass traverse checking

    Here's the "Explain" text:

    This user right determines which users can traverse directory trees even
    though the user may not have permissions on the traversed directory. This
    privilege does not allow the user to list the contents of a directory, only
    to traverse directories.

    This user right is defined in the Default Domain Controller Group Policy
    object (GPO) and in the local security policy of workstations and servers.

    Default on workstations and servers:
    Backup Operators
    Local Service
    Network Service

    Default on domain controllers:
    Authenticated Users
    Local Service
    Network Service
    Pre-Windows 2000 Compatible Access

  4. #4
    Join Date
    Feb 2009

    Re: Traverse a folder without permission?

    Indeed it is the local security policy setting "bypass traverse checking" on the servers which is applying this to the folders. I never knew this was set by default to the everyone group on the local policy.
    That said I never new the local security policy also applies logon local rights to the users group on 2003 server until an audit.

    Thanks Bruce. Thats one headache gone, now to figure out why some of my laptops hung whilst installing software....

  5. #5
    Bruce Sanderson Guest

    Re: Traverse a folder without permission?

    Happy to shed light! The defaults that apply if the setting is not
    "defined" are usually documented in the Help for each setting.

  6. #6
    Join Date
    Aug 2009
    So I've got the same issue but am having problems determining how to fix it from the discussion on this website. In my environment I have several volumes that are shared (you go to \\server and you can see several shared folders). If you double-click on any of the folders you can see (ex:\\server\folder1), you are given "access denied". If you browse to \\server\folder1\staff\userid, you have full rights and are able to browse the directory.

    PROBLEM 1:
    Our "Bypass traverse checking" options are set to defaults. We are running Windows 2003 R2 servers with a 2003 functional level. We have NOT given users traverse rights to folder1, or staff, but want them to be able to browse to the folders they have rights to by simply double-clicking thru to them.

    PROBLEM 2:
    With Novell, our users were able to traverse the folders down to the folders they had full access to without having to set any specific permissions. ALSO (and this is what I'd like to do with Windows), when they browsed to \\server, they were only able to see folder1, and folder 2 IF they had rights to a folder inside of folder1 or folder2. And then they were only able to see the folders that led them to the folder they did have full access to (ie: usera was only able to see \\server\folder1\staff\userid, and NOT \\server\folder1\staff\otherusersids). Is this even possible in a windows environment?

    Thanks for the quick response! I was actually (and just found out) that I was looking for "Access-based Enumeration". I just need to read up on how to set it up. Any Idea's?

  7. #7
    Anthony [MVP] Guest

    Re: Traverse a folder without permission?

    List Folders will enable people to navigate through the tree.
    Traverse is the right to pass-through to the destination, without the right
    to read anything (including folder name)

  8. #8
    Anthony [MVP] Guest

    Re: Traverse a folder without permission?

    Sure. List folders + Traverse is the poor man's version of ABE, or at least
    the Windows version before R2. Let us know if you have any problems with it

Similar Threads

  1. Replies: 7
    Last Post: 24-11-2009, 10:27 AM
  2. How to Set write permission to a folder
    By Xena in forum Software Development
    Replies: 3
    Last Post: 04-05-2009, 06:47 PM
  3. Display the user permission on a share folder
    By Klums in forum Active Directory
    Replies: 3
    Last Post: 12-08-2008, 08:34 AM
  4. Restrict folder permission to prevent from moving
    By Fat Frog in forum Windows Server Help
    Replies: 6
    Last Post: 20-05-2008, 08:08 AM
  5. Modify Permission to Home Folder Script
    By Masti in forum Windows Server Help
    Replies: 1
    Last Post: 23-04-2008, 08:15 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts