When the user tries to access the absolute path through Explorer.exe, he or she receives one of the following error messages.
One group (and this includes everyone) should be granted the Traverse folder permission on the parent share's NTFS permissions. After that condition is met, ABE starts working, and its functionality is not limited to only two levels. When this specific right of the Traverse folder is pushed to all folders under the parent share, ABE works for all the sub-folders and files that take the specified access permissions, and the folders are enumerated accordingly.
Directory1 - Level1 - with disabled inheritance and inherited permissions applied as explicit permissions
Directory2 - Level2 - User doesn't have any permissions
Directory3 - Level3- User doesn't have any permissions
Directory4 - Level4- User had Full control.
- If User1 has read permissions on the complete tree structure, he or she can successfully browse to \\server\data\directory1\directory2\directory3\directory4.
- If User2 has read permissions on Directory1 and Directory4, this user can browse only \\server\data\directory1. He or she cannot browse to \\server\data\directory1\directory2\directory3\directory4.
- When a user has read access to a parent directory and read access to grandchild directories but no access to the child directories in between, the user cannot use Explorer.exe to browse the grandchild directory.
- By using a command prompt, User2 can issue the Dir command against \\server\data\directory1\directory2\directory3\directory4 and see the directory's contents. The user can also map a drive to the path by using Net Use and then by opening the mapped drive in Explorer.exe. If you disable ABE on the share, users can access all levels in the tree where NTFS allows.
Artikel-id: 3035058 – senaste granskning 18 mars 2015 – revision: 1