Discussion:
Bypass Traverse Checking Issue
(too old to reply)
Lee
2004-02-15 11:06:14 UTC
Permalink
hi,

I am wondering if someone can clear up an issue.

I have a Win 2003 file server, we have a shared folder that a user maps a
drive to. In that folder is another folder, no-one apart from Admins have
rights to this folder. Directories below this folder should be accessible
to my users, permissions are setup etc etc.

Now, as I understand it, if a user has the Bypass Traverse Checking right,
they should be able to get to folders lower in the directory structure that
they have rights to, even if they don't have rights to the top-level folder.

However, in my case, a user receives "Access denied" when double cliking the
top-level folder.

In my DC Policy, Authenticated Users has the Bypass Traverse Checking right.

So, I am lost, maybe I understand this wrong. could someone shed some light
?

TIA

LM
Mike Aubert
2004-02-15 13:21:47 UTC
Permalink
Your definition of Bypass Traverse Checking is correct, but I think there is
a misunderstanding in what "get to folders lower in the directory structure"
actually means. A user needs the list folder contents permission on the
folder in order to view a folder's contents. For example, say I had the
following folder structure:

\\ServerName\Share\AdminFolder\UserFolder

Where only administrators have access to the AdminFolder directory and
everyone has access to the UserFolder directory. If a user enters the
network path \\ServerName\Share\AdminFolder at the Run dialog they will get
an access denied error because they do not have permissions to view the
AdminFolder contents.

However, if a user enters the network path
\\ServerName\Share\AdminFolder\UserFolder at the Run dialog they will get a
list of the folder contents because they have access to the UserFolder
directory. What Bypass Traverse Checking basically means is "Forget about
the DACLs set on folders higher in the directory hierarchy - look at the
permissions set only on this folder/file." Bypass Traverse Checking does not
give a user the ability to list files and folders higher in the directory
hierarchy - they must be granted the necessary permissions. i.e. Bypass
Traverse Checking does not give the user the ability to brows the directory
structure using Windows Explorer - just the ability to jump directly to the
folder/file they have permission for.

If the user did not have the Bypass Traverse Checking right, the user would
have to have permissions on *both* the AdminFolder and UserFolder
directories. In such a situation, if a user enters the network path
\\ServerName\Share\AdminFolder\UserFolder at the Run dialog they will get an
access denied error because they do not have access to the AdminFolder.

From the Windows support files:

Bypass traverse checking - "This user right determines which users can
traverse directory trees even though the user may not have permissions on
the traversed directory. This privilege does not allow the user to list the
contents of a directory, only to traverse directories."

------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
***@2000trainers.com

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Lee
hi,
I am wondering if someone can clear up an issue.
I have a Win 2003 file server, we have a shared folder that a user maps a
drive to. In that folder is another folder, no-one apart from Admins have
rights to this folder. Directories below this folder should be accessible
to my users, permissions are setup etc etc.
Now, as I understand it, if a user has the Bypass Traverse Checking right,
they should be able to get to folders lower in the directory structure that
they have rights to, even if they don't have rights to the top-level folder.
However, in my case, a user receives "Access denied" when double cliking the
top-level folder.
In my DC Policy, Authenticated Users has the Bypass Traverse Checking right.
So, I am lost, maybe I understand this wrong. could someone shed some light
?
TIA
LM
Lee
2004-02-15 14:27:49 UTC
Permalink
Guys,

thanks for your response, this does make sense now, adding list rights to
all the users gave them access.

Thanks

LM
Post by Mike Aubert
Your definition of Bypass Traverse Checking is correct, but I think there is
a misunderstanding in what "get to folders lower in the directory structure"
actually means. A user needs the list folder contents permission on the
folder in order to view a folder's contents. For example, say I had the
\\ServerName\Share\AdminFolder\UserFolder
Where only administrators have access to the AdminFolder directory and
everyone has access to the UserFolder directory. If a user enters the
network path \\ServerName\Share\AdminFolder at the Run dialog they will get
an access denied error because they do not have permissions to view the
AdminFolder contents.
However, if a user enters the network path
\\ServerName\Share\AdminFolder\UserFolder at the Run dialog they will get a
list of the folder contents because they have access to the UserFolder
directory. What Bypass Traverse Checking basically means is "Forget about
the DACLs set on folders higher in the directory hierarchy - look at the
permissions set only on this folder/file." Bypass Traverse Checking does not
give a user the ability to list files and folders higher in the directory
hierarchy - they must be granted the necessary permissions. i.e. Bypass
Traverse Checking does not give the user the ability to brows the directory
structure using Windows Explorer - just the ability to jump directly to the
folder/file they have permission for.
If the user did not have the Bypass Traverse Checking right, the user would
have to have permissions on *both* the AdminFolder and UserFolder
directories. In such a situation, if a user enters the network path
\\ServerName\Share\AdminFolder\UserFolder at the Run dialog they will get an
access denied error because they do not have access to the AdminFolder.
Bypass traverse checking - "This user right determines which users can
traverse directory trees even though the user may not have permissions on
the traversed directory. This privilege does not allow the user to list the
contents of a directory, only to traverse directories."
------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by Lee
hi,
I am wondering if someone can clear up an issue.
I have a Win 2003 file server, we have a shared folder that a user maps a
drive to. In that folder is another folder, no-one apart from Admins have
rights to this folder. Directories below this folder should be accessible
to my users, permissions are setup etc etc.
Now, as I understand it, if a user has the Bypass Traverse Checking right,
they should be able to get to folders lower in the directory structure
that
Post by Lee
they have rights to, even if they don't have rights to the top-level
folder.
Post by Lee
However, in my case, a user receives "Access denied" when double cliking
the
Post by Lee
top-level folder.
In my DC Policy, Authenticated Users has the Bypass Traverse Checking
right.
Post by Lee
So, I am lost, maybe I understand this wrong. could someone shed some
light
Post by Lee
?
TIA
LM
Andrew Mitchell
2004-02-15 13:21:44 UTC
Permalink
Post by Lee
hi,
I am wondering if someone can clear up an issue.
I have a Win 2003 file server, we have a shared folder that a user
maps a drive to. In that folder is another folder, no-one apart from
Admins have rights to this folder. Directories below this folder
should be accessible to my users, permissions are setup etc etc.
Now, as I understand it, if a user has the Bypass Traverse Checking
right, they should be able to get to folders lower in the directory
structure that they have rights to, even if they don't have rights to
the top-level folder.
However, in my case, a user receives "Access denied" when double
cliking the top-level folder.
In my DC Policy, Authenticated Users has the Bypass Traverse Checking right.
So, I am lost, maybe I understand this wrong. could someone shed some
light ?
My understanding of it is that if you have a directory called c:
\AdminsOnly that only the admins have permissions to and users have
Bypass Traverse Checking, and a subdirectory of c:\AdminsOnly\UsersAsWell
that the users have full permissions to then the users cannot browse to
the UsersAsWell folder by clicking c:\, then AdminsOnly then UsersAsWell
in explorer as they do not have permission to view directory listing in
the AdminsOnly folder.
The only way to get to the UsersAsWell folder would be to type 'c:
\AdminsOnly\UsersAsWell in the address bar of explorer, do a 'CD c:
\AdminsOnly\UsersAsWell' from a command prompt, or have a shortcut
directly to c:\AdminsOnly\UsersAsWell.
ie: Don't do anything that enters the AdminsOnly folder.


--

Andy.
Loading...