Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Explorer.exe enforces traverse checking when ABE is enabled on a share

Explorer.exe enforces traverse checking when ABE is enabled on a share

View products that this article applies to.

Symptoms

When Access Based Enumeration (ABE) is enabled on a share, the shell (Explorer.exe) enforces traverse checking even though the Bypass Traverse Checking user right is enabled. The user can still enumerate the directory content by running the dir <SharePath> command line.

When the user tries to access the absolute path through Explorer.exe, he or she receives one of the following error messages.

Error 1
Unspecified error, Error code: 0X80004005 (enumeration Failed)

Error 2
Windows cannot find ‘absolute path of the share". Check the spelling and try again, or try searching for the item by clicking the Start Button and then clicking Search.

Error 3
<SharePath> is not accessible. Access is denied.

↑ Back to the top

Cause

Access Based Enumeration works on Security (NTFS) permissions and not on share-level permissions. On the share, everyone must be granted Full Control permissions so that users can read and write to the folders in the share. NTFS permissions regulate all enumeration of folders.

One group (and this includes everyone) should be granted the Traverse folder permission on the parent share's NTFS permissions. After that condition is met, ABE starts working, and its functionality is not limited to only two levels. When this specific right of the Traverse folder is pushed to all folders under the parent share, ABE works for all the sub-folders and files that take the specified access permissions, and the folders are enumerated accordingly.

↑ Back to the top

Resolution

To continue using ABE, the user should have at least read permissions to the folders at all levels in the tree.

↑ Back to the top

More Information

A share that's named DATA exists in the following structure when ABE is enabled:
DATA - Parent Level - Sharing - Everyone with Full control, NTFS- admin/system/users group - Read- With disabled inheritance
|
Directory1 - Level1 - with disabled inheritance and inherited permissions applied as explicit permissions
|
Directory2 - Level2 - User doesn't have any permissions
|
Directory3 - Level3- User doesn't have any permissions
|
Directory4 - Level4- User had Full control.

Notes
  • If User1 has read permissions on the complete tree structure, he or she can successfully browse to \\server\data\directory1\directory2\directory3\directory4.
  • If User2 has read permissions on Directory1 and Directory4, this user can browse only \\server\data\directory1. He or she cannot browse to \\server\data\directory1\directory2\directory3\directory4.
  • When a user has read access to a parent directory and read access to grandchild directories but no access to the child directories in between, the user cannot use Explorer.exe to browse the grandchild directory.
  • By using a command prompt, User2 can issue the Dir command against \\server\data\directory1\directory2\directory3\directory4 and see the directory's contents. The user can also map a drive to the path by using Net Use and then by opening the mapped drive in Explorer.exe. If you disable ABE on the share, users can access all levels in the tree where NTFS allows.

↑ Back to the top

Keywords: kb, kbexpertiseadvanced, kbsurveynew, kbtshoot

↑ Back to the top

Article Info
Article ID : 3035058
Revision : 1
Created on : 1/7/2017
Published on : 3/18/2015
Exists online : False
Views : 407