Determining Users Effective Permissions

Assigning file and folder permissions to users and groups in a domain environment is a regular task for systems administrators. When users are added to multiple groups and such groups are assigned to the same folder with different permissions, it may become difficult to determine the users’ effective permissions. You can use the Effective Permissions tool to determine a user or group’s effective permissions on a folder or a file.

Remember, that permissions are cumulative and Deny permissions override Allow permissions. It can become a source if insecurity when different groups have multiple Allow permissions. A complicated and unplanned user group membership distribution can lead to users ending up with higher privileges than planned for.

The Effective Permissions tool analysis a user’s permissions as well as the permissions of all groups to which the user’s account belongs to. Then you can determine what special permissions the user has to the resource in question.

To start the Effective Permissions tool, click the Advanced button located on the Security tab of the target file or folder’s properties and select the Effective Permissions tab. Then click Select to choose the group or user for which you wish to determine effective permissions as shown below:

Note that, share permissions are not part of the effective permissions calculation. Access to shares can be denied through share permissions even when access is allowed through NTFS permissions.

The dynamics used to determine effective permissions are based on the following factors:

  • Global group membership
  • Local group membership
  • Local permissions
  • Local privileges
  • Universal group membership

On the other hand, factors that are not used to determine effective permissions are:

  • Anonymous Logon
  • Batch, Creator Group
  • Dialup
  • Enterprise Domain Controllers
  • Interactive
  • Network
  • Proxy
  • Restricted
  • Remote
  • Service
  • System
  • Terminal Server User
  • Other Organization
  • This Organization