Explorer.exe enforces traverse checking when ABE is enabled on a share

Applies to: Windows Server 2012 StandardWindows Server 2012 StandardWindows Server 2012 R2 Standard More

Symptoms


When Access Based Enumeration (ABE) is enabled on a share, the shell (Explorer.exe) enforces traverse checking even though the Bypass Traverse Checking user right is enabled. The user can still enumerate the directory content by running the dir <SharePath> command line.

When the user tries to access the absolute path through Explorer.exe, he or she receives one of the following error messages.

Error 1
Unspecified error, Error code: 0X80004005 (enumeration Failed)

Error 2
Windows cannot find ‘absolute path of the share". Check the spelling and try again, or try searching for the item by clicking the Start Button and then clicking Search.

Error 3
<SharePath> is not accessible. Access is denied.

Cause


Access Based Enumeration works on Security (NTFS) permissions and not on share-level permissions. On the share, everyone must be granted Full Control permissions so that users can read and write to the folders in the share. NTFS permissions regulate all enumeration of folders.

One group (and this includes everyone) should be granted the Traverse folder permission on the parent share's NTFS permissions. After that condition is met, ABE starts working, and its functionality is not limited to only two levels. When this specific right of the Traverse folder is pushed to all folders under the parent share, ABE works for all the sub-folders and files that take the specified access permissions, and the folders are enumerated accordingly.

Resolution


To continue using ABE, the user should have at least read permissions to the folders at all levels in the tree.

More Information


A share that's named DATA exists in the following structure when ABE is enabled:
DATA - Parent Level - Sharing - Everyone with Full control, NTFS- admin/system/users group - Read- With disabled inheritance
|
Directory1 - Level1 - with disabled inheritance and inherited permissions applied as explicit permissions
|
Directory2 - Level2 - User doesn't have any permissions
|
Directory3 - Level3- User doesn't have any permissions
|
Directory4 - Level4- User had Full control.

Notes
  • If User1 has read permissions on the complete tree structure, he or she can successfully browse to \\server\data\directory1\directory2\directory3\directory4.
  • If User2 has read permissions on Directory1 and Directory4, this user can browse only \\server\data\directory1. He or she cannot browse to \\server\data\directory1\directory2\directory3\directory4.
  • When a user has read access to a parent directory and read access to grandchild directories but no access to the child directories in between, the user cannot use Explorer.exe to browse the grandchild directory.
  • By using a command prompt, User2 can issue the Dir command against \\server\data\directory1\directory2\directory3\directory4 and see the directory's contents. The user can also map a drive to the path by using Net Use and then by opening the mapped drive in Explorer.exe. If you disable ABE on the share, users can access all levels in the tree where NTFS allows.