Go Back   TechArena Community > Technical Support > Computer Help > Windows Server > Windows Server Help
Become a Member!
Forgot your username/password?
Register Tags Active Topics RSS Search Mark Forums Read

Sponsored Links



Traverse a folder without permission?

Windows Server Help


Reply
 
Thread Tools Search this Thread
  #1  
Old 26-02-2009
Member
 
Join Date: Feb 2009
Posts: 2
Traverse a folder without permission?

I have been working with windows permissions for over 10 years now and though I knew what I was doing until now.
I seem to now be able to connect to a share path where I have no access to the root of the share or intermediate folders but do at the lower level folders. I always though I needed the traverse folder permission to do this but apparently not. Let me explain

I have created a share \\server1\data
The share permission is full control and the NTFS permissions are full control for admins and system. Inheritance is blocked on the data folder

I then create sub folders \\server1\data\L1\L2\L3
the sub folders are inheritning permissions from the Data folder. I now grant "testuser" read/write(modify) access to the L2 folder.

From a PC "TestUser" can do the following
\\server1\data - Access Denied
\\Server1\data\L1 - Access Denied
\\Server1\data\L1\L2 - Access granted

Bearing in mind that I have not granted "Testuser" any traverse rights to the data or L1 folders, why can "TestUser" access L2 and L3? Is there a technet article explaining this anywhere?

Reply With Quote
  #2  
Old 26-02-2009
AllenM
 
Posts: n/a
Re: Traverse a folder without permission?

I can't see how that is possible. What are the permissions for L1 and L2?
Does testuser have "List" at Data and L1? If they can't get into Data then
how can they even see the sub folders?
Reply With Quote
  #3  
Old 27-02-2009
Bruce Sanderson
 
Posts: n/a
Re: Traverse a folder without permission?

Check the Group Policy Setting (or the local policy setting using gpedit.msc
if not in a domain):

Computer Configuration
[Policies - this level is present only on Windows Server 2008)
Windows Settings
Local Policies
User Rights Assignment
Bypass traverse checking

Here's the "Explain" text:

This user right determines which users can traverse directory trees even
though the user may not have permissions on the traversed directory. This
privilege does not allow the user to list the contents of a directory, only
to traverse directories.

This user right is defined in the Default Domain Controller Group Policy
object (GPO) and in the local security policy of workstations and servers.

Default on workstations and servers:
Administrators
Backup Operators
Users
Everyone
Local Service
Network Service

Default on domain controllers:
Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access
Reply With Quote
  #4  
Old 27-02-2009
Member
 
Join Date: Feb 2009
Posts: 2
Re: Traverse a folder without permission?

Indeed it is the local security policy setting "bypass traverse checking" on the servers which is applying this to the folders. I never knew this was set by default to the everyone group on the local policy.
That said I never new the local security policy also applies logon local rights to the users group on 2003 server until an audit.

Thanks Bruce. Thats one headache gone, now to figure out why some of my laptops hung whilst installing software....
Reply With Quote
  #5  
Old 28-02-2009
Bruce Sanderson
 
Posts: n/a
Re: Traverse a folder without permission?

Happy to shed light! The defaults that apply if the setting is not
"defined" are usually documented in the Help for each setting.
Reply With Quote
  #6  
Old 21-08-2009
Member
 
Join Date: Aug 2009
Posts: 1
So I've got the same issue but am having problems determining how to fix it from the discussion on this website. In my environment I have several volumes that are shared (you go to \\server and you can see several shared folders). If you double-click on any of the folders you can see (ex:\\server\folder1), you are given "access denied". If you browse to \\server\folder1\staff\userid, you have full rights and are able to browse the directory.

PROBLEM 1:
Our "Bypass traverse checking" options are set to defaults. We are running Windows 2003 R2 servers with a 2003 functional level. We have NOT given users traverse rights to folder1, or staff, but want them to be able to browse to the folders they have rights to by simply double-clicking thru to them.

PROBLEM 2:
With Novell, our users were able to traverse the folders down to the folders they had full access to without having to set any specific permissions. ALSO (and this is what I'd like to do with Windows), when they browsed to \\server, they were only able to see folder1, and folder 2 IF they had rights to a folder inside of folder1 or folder2. And then they were only able to see the folders that led them to the folder they did have full access to (ie: usera was only able to see \\server\folder1\staff\userid, and NOT \\server\folder1\staff\otherusersids). Is this even possible in a windows environment?

Thanks for the quick response! I was actually (and just found out) that I was looking for "Access-based Enumeration". I just need to read up on how to set it up. Any Idea's?
Reply With Quote
  #7  
Old 21-08-2009
Anthony [MVP]
 
Posts: n/a
Re: Traverse a folder without permission?

List Folders will enable people to navigate through the tree.
Traverse is the right to pass-through to the destination, without the right
to read anything (including folder name)
Reply With Quote
  #8  
Old 22-08-2009
Anthony [MVP]
 
Posts: n/a
Re: Traverse a folder without permission?

Sure. List folders + Traverse is the poor man's version of ABE, or at least
the Windows version before R2. Let us know if you have any problems with it
Reply With Quote
Reply

  TechArena Community > Technical Support > Computer Help > Windows Server > Windows Server Help
Tags: , , ,



Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads for: "Traverse a folder without permission?"
Thread Thread Starter Forum Replies Last Post
Server 2008: You don't currently have permission to access this folder HAL07 Windows Server Help 7 24-11-2009 10:27 AM
How to Set write permission to a folder Xena Software Development 3 04-05-2009 06:47 PM
Display the user permission on a share folder Klums Active Directory 3 12-08-2008 08:34 AM
Restrict folder permission to prevent from moving Fat Frog Windows Server Help 6 20-05-2008 08:08 AM
Modify Permission to Home Folder Script Masti Windows Server Help 1 23-04-2008 08:15 AM


All times are GMT +5.5. The time now is 05:35 AM.