Traverse checking of directory permissions

By default, Windows users have the right to move through a directory tree even though they might not have permissions for each directory in the path. On POSIX systems, you cannot access a directory unless you have permission to access every directory in the path to the directory. The POSIX behavior is known as traverse checking.

For example, if you do not have permission to access a directory, you cannot change the current directory to any of its subdirectories, even if you have permission to access the subdirectories. By default in Windows, you can change the current directory to any subdirectories for which you have permission.

You can ensure POSIX behavior in Windows NT by removing the Bypass Traverse Checking right in User Manager for Domains. To do this, in the User Rights Policy dialog box of User Manager for Domains, select the Show Advanced User Rights check box. In the Right list box, select Bypass traverse checking. Click Everyone, click Remove, and then click OK.

In Windows 2000 and Windows XP, there is a special permission called the Traverse Folder/Execute File permission, which you can set for a user or group. You can configure this permission to allow or deny movement through a directory tree. Traverse folder takes effect only when the group or user is not granted the bypass traverse checking user right in the Group Policy snap-in. In Windows 2000, by default, the Everyone group is given the bypass traverse checking user right. In Windows XP, the Administrators, Backup Operators, Everyone, Power Users, and Users groups are all given this right. For strict conformance with POSIX standards, remove the bypass traverse checking right from all users and groups except Backup Operators. To conform to privileges granted to the root user on many other UNIX implementations, remove the bypass traverse checking right from all users except Administrators and Backup Operators.

Traverse checking is supported only on NTFS file systems. Allowing or denying traverse checking has no effect on file-allocation table (FAT) file systems.