Using Server 2012 in a cluster configuration as an upgrade to our main file server (win2003) we have trouble using traverse folder rights AND access based enumeration (ABE)
ABE works really well in our environment when group permissions are set up correctly, however i need to allow access to certain folders deep down in the structure for individual users that are not in these groups using traverse folder permissions for authenticated users on each sub folder (each user is given explicit permissions on the target folder and will be then given a shortcut to this path on their desktop etc..) I can get traverse to work when ABE is turned off, once ABE is turned on the traversal breaks and explorer on the client (win7) fails to enumerate the folder or files within.
this server is setup in the same way our previous 2003 file server was setup and this works with ABE and traverse permissions are fine, can anyone shed any light on how to do both ABE and traversing using on 2012 or suggest any resources or tools to look at or any differences that were introduced since 2003 regarding ABE or traversal permissions?
Best Answer
The answer is that ABE breaks Traverse. With ABE off, you can grant someone direct access deep in a structure without having to give them rights all the way down from the top, if the default domain and local policy on the member server is in place. (https://technet.microsoft.com/en-us/library/Cc739389%28v=WS.10%29.aspx)
But, "When Access Based Enumeration (ABE) is enabled on a share, the shell (Explorer.exe) enforces traverse checking even though the Bypass Traverse Checking user right is enabled. The user can still enumerate the directory content by running the dir command line." - from https://support.microsoft.com/en-us/kb/3035058
As an additional complication to this matter, Windows 10 doesn't seem to respect this. It can directly browse to a share on a Windows 2008 R2 server that the same user cannot browse to from a Windows 7 user. However, there could have been some difference in the policies applied to the two machines I was using for testing, but I don't believe so.