How to Use the Bypass Traverse Checking User Right

Q: What is the purpose of the Windows Bypass Traverse Checking user right (also referred to as SeChangeNotifyPrivilege)?

A: If a Windows account is granted the Bypass Traverse Checking user right, the account—or the process that acts on behalf of the account—is allowed to bypass certain Windows security checks. Bypass Traverse Checking determines which users can traverse directory or file system folder trees even though they might not have permissions on the level of the traversed directory or file system folder hierarchy itself.

The following is an example of how this user right works: Imagine you have a file system folder called Confidential_Information that has access permissions only for user Bob. Inside this folder there's a file called For_Alice_Only.txt that has read permissions for user Alice. If Alice is granted the Bypass Traverse Checking user right, Alice can access the file directly, without having access denied problems because she doesn't have read permissions on the folder the file is in. Note that the Bypass Traverse Checking user right doesn't let Alice list the contents of the Confidential_Information folder; instead, it lets her “traverse” the folder and access the For_Alice_Only.txt file directly.

On Windows workstations and servers, the Bypass Traverse Checking user right is given to members of the Administrators, Backup Operators, Power Users (this group doesn't exist in Windows Vista anymore), Users, and Everyone groups by default. On domain controllers (DCs), the user right is given to members of the Administrators and Authenticated Users groups by default. In a Windows Active Directory (AD) environment, you can centrally control who is granted the Bypass Traverse Checking user right by configuring the corresponding Group Policy Object (GPO) setting in the Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment GPO container.

Unless you have very strict security requirements (for example, in government or military environments), I recommend using the default Bypass Traverse Checking settings. If you remove a Windows account’s Bypass Traverse Checking user right, the user will notice a performance hit when he/she accesses files or folders on an NTFS-formatted drive because of the additional folder-level access checks that will occur in the background. That's why leaving Bypass Traverse Checking enabled is a performance- and NTFS- optimization trick.