Re: Bypass Traverse Checking Issue

From: Lee (lmessenger_at_nospam.com)
Date: 02/15/04 

Date: Sun, 15 Feb 2004 14:27:49 -0000

Guys,

thanks for your response, this does make sense now, adding list rights to
all the users gave them access.

Thanks

LM
"Mike Aubert" <mikenews2@2000trainers.com> wrote in message
news:u48Ila88DHA.1672@TK2MSFTNGP12.phx.gbl...
> Your definition of Bypass Traverse Checking is correct, but I think there
is
> a misunderstanding in what "get to folders lower in the directory
structure"
> actually means. A user needs the list folder contents permission on the
> folder in order to view a folder's contents. For example, say I had the
> following folder structure:
>
> \\ServerName\Share\AdminFolder\UserFolder
>
> Where only administrators have access to the AdminFolder directory and
> everyone has access to the UserFolder directory. If a user enters the
> network path \\ServerName\Share\AdminFolder at the Run dialog they will
get
> an access denied error because they do not have permissions to view the
> AdminFolder contents.
>
> However, if a user enters the network path
> \\ServerName\Share\AdminFolder\UserFolder at the Run dialog they will get
a
> list of the folder contents because they have access to the UserFolder
> directory. What Bypass Traverse Checking basically means is "Forget about
> the DACLs set on folders higher in the directory hierarchy - look at the
> permissions set only on this folder/file." Bypass Traverse Checking does
not
> give a user the ability to list files and folders higher in the directory
> hierarchy - they must be granted the necessary permissions. i.e. Bypass
> Traverse Checking does not give the user the ability to brows the
directory
> structure using Windows Explorer - just the ability to jump directly to
the
> folder/file they have permission for.
>
> If the user did not have the Bypass Traverse Checking right, the user
would
> have to have permissions on *both* the AdminFolder and UserFolder
> directories. In such a situation, if a user enters the network path
> \\ServerName\Share\AdminFolder\UserFolder at the Run dialog they will get
an
> access denied error because they do not have access to the AdminFolder.
>
> From the Windows support files:
>
> Bypass traverse checking - "This user right determines which users can
> traverse directory trees even though the user may not have permissions on
> the traversed directory. This privilege does not allow the user to list
the
> contents of a directory, only to traverse directories."
>
> ------------------------------------------------------------------
> Mike Aubert
> MCSE, MCSD, MCDBA
> mikenews2@2000trainers.com
>
> Note the "news2" in my email address is temporary and may be changed in
the
> future, remove it to email me at my Permanente address.
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
>
> "Lee" <lmessenger@nospam.com> wrote in message
> news:OfwV6O78DHA.3064@TK2MSFTNGP09.phx.gbl...
> > hi,
> >
> > I am wondering if someone can clear up an issue.
> >
> > I have a Win 2003 file server, we have a shared folder that a user maps
a
> > drive to. In that folder is another folder, no-one apart from Admins
have
> > rights to this folder. Directories below this folder should be
accessible
> > to my users, permissions are setup etc etc.
> >
> > Now, as I understand it, if a user has the Bypass Traverse Checking
right,
> > they should be able to get to folders lower in the directory structure
> that
> > they have rights to, even if they don't have rights to the top-level
> folder.
> >
> > However, in my case, a user receives "Access denied" when double cliking
> the
> > top-level folder.
> >
> > In my DC Policy, Authenticated Users has the Bypass Traverse Checking
> right.
> >
> > So, I am lost, maybe I understand this wrong. could someone shed some
> light
> > ?
> >
> > TIA
> >
> > LM
> >
> >
>
>

Relevant Pages

  • Re: you need permission to perform this action
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... configure the global permissions for administrators. ... folder, because some folder permissions are changed by design, that's ... I did have the Administrator take ownership of the system32 folder, ...
    (microsoft.public.windows.server.general)
  • Re: Strange share rights problems
    ... This rights are for the SHARE PERMISSIONS ... This posting is provided "AS IS" with no warranties, and confers no rights. ... The problematic folder is the folder under drive X and is called ... Users who belongs to the STAFF belongs also to Domain Users. ...
    (microsoft.public.windows.server.general)
  • Re: Utility/report for effective NTFS rights for a single user/group?
    ... that can determine the effective NTFS rights for a user or a group? ... Technically Rights and Permissions are two distinct things in NT-class ... simplistic in that you have to evaluate each folder individually. ...
    (microsoft.public.windows.server.general)
  • Re: Security and Sharing
    ... When they are logged in locally only the filesystem permissions are ... allows to them provided that the share level permissions are not less. ... "read and file scan rights". ... If you want then to be able to read files and browse the folder structure ...
    (microsoft.public.security)
  • Re: File attributes not being retained
    ... Sounds like you don't have the right to change access rights on that folder. ... system resets the permission to Read Only as soon as the Permissions ... If one leaves the window in which one sets the Permission open, ...
    (microsoft.public.windowsxp.network_web)