Windows domain share permissions basics

Consider following share rights:

Security \\dev\profiles\
rw – Administrators

Security \\dev\profiles\bambus02
inherited AND
rw – bambus02

Sharing \\dev\profiles
rw – Everyone

as "bambus02", my access to \\dev\profiles is denied, but access to \\dev\profiles\bambus02 is allowed with full rights - this is really wished behaviour, but the question is:

Why I am allowed to access a subfolder of a share, when on the path the higher folder (profiles) has access denied?

Is it not the way how the ACL checks works, checking all path segments from upper to lower and stopping when any of them is not allowed?

Solution 1:

You will want to look at the Advanced Security Settings (detailed NTFS permissions) on the shared folder. Most likely, you'll find that your user account has the "Traverse folder / execute file" permission.

Even if you don't have this permission, the default settings are to bypass this restriction entirely.

For folders: The Traverse Folder permission applies only to folders. This permission allows or denies the user from moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders. Traverse Folder takes effect only when the group or user is not granted the Bypass Traverse Checking user right. The Bypass Traverse Checking user right checks user rights in the Group Policy snap-in. By default, the Everyone group is given the Bypass Traverse Checking user right.

Source: KB Article 308419