Bypass Traverse Checking

From: Allison (athys@city.lethbridge.ab.ca)
Date: 11/15/02 

From: "Allison" <athys@city.lethbridge.ab.ca>
Date: Fri, 15 Nov 2002 10:38:07 -0700

AGGHHH...

I am totally confused with the permission @#$%^. Here's my situation:

\Department
    \100
    \200
    \300
    \400
    \All Department Managers
    \Everyone

Groups
Dept Managers
Dept100
Dept200
Dept300
Dept400
All Dept Members (includes all of the above groups)

I have applied permissions for the Dept100 group at \Department\Everyone as
follows:

Read & Execute:
    Traverse Folder/Execute File
    List Folder/Read Data
    Read Attributes
    Read Extended Attributes
    Read Permissions

Applied to: This folder, subfolders and files.

When I log in as a member of the Dept100 Group.... Open Windows Explorer and
browse the the \Everyone folder... I get an access denied message at the
\Department level. I have not given any permissions at the \Department
folder... because I thought since I gave them permissions at \Everyone ...
that it would be implied that they need to traverse the \Department folder
to get there.... Apparently this is wrong cuz it's not working! I have read
several articles about 'Bypass Traverse Checking' but I still don't get it!

AGGHHH

SO... do I have to explicitly give the Dept100 group permissions at the
\Department level?

If so, I guess I am misunderstanding the 'Bypass Traverse Checking' default
user right.... (which could someone please tell me... this user right is
applied on all my client machines local policy... but not on any DOMAIN
policy... OOPS!!! forget it... I just checked the Default Domain Controllers
Policy... and sure enough this user right is defined.) Ok... that's great...
so what does it do!?

I have tried this.... I gave the All Dept Members group the following
SPECIAL permissions at the \Department Level:

    List Folder/Read Data
    (I didn't need to assign the 'Traverse Folder/Execute File' permission
??? how come???)

Now my Dept100 group can browse down to get to the \Everyone folder... they
get 'Access Denied' messages for all other subfolders... which is correct.

If anyone has some advice.... I'm ready to hear it...

THANKS!!

Relevant Pages

  • Re: Minimum NTFS Permissions - Theres such a thing???
    ... ?2001 Microsoft Corporation. ... HOW TO: Set Minimum NTFS Permissions Required for IIS 5.0 to Work WGID:198 ... " List Folder Contents" ...
    (microsoft.public.inetserver.iis.security)
  • Re: Unable to delete orphaned 1.5 GB System Restore folder
    ... The fact that the tech support is based in India has nothing to do with the ... If so you may want to leave this folder alone. ... down to all children folders because i can set those permissions to ... try deleting from the command line using system by using the AT ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Unable to delete orphaned 1.5 GB System Restore folder
    ... The only computers i fix are my own. ... If so you may want to leave this folder alone. ... it includes all subdirectories with inherited permissions. ... try deleting from the command line using system by using the AT ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Word mail merge data source
    ... "Peter Jamieson" wrote: ... Word on it) then there may be a problem if the folder containing the data ... Word builds a connection string. ... superset of other users' permissions - for example, ...
    (microsoft.public.word.vba.general)
  • RE: no OWA
    ... have the correct permissions was the "inetpub" folder. ... Correct the settings in IIS: ... click to check the "Hide All Microsoft Services" ...
    (microsoft.public.windows.server.sbs)