Most of the time, NTFS permissions are fairly straightforward. In large organizations though, you may find it difficult to determine what permissions apply to individual users, as they could potentially be members of many different groups.
Fortunately, Microsoft gives us the Effective Permissions tool which makes the process of evaluating NTFS permissions a lot easier. The catch, however, is that the tool is sometimes wrong. But why?
Let's start by looking at how the Effective Permissions tool works with NTFS. Suppose for a moment that you need to figure out what permissions an individual user has for a particular folder. To do so, simply right-click the folder and choose the Properties option from the shortcut menu. Windows will then display the folder's properties sheet.
If you go to the Security tab, you will see a list of all NTFS permissions that have been assigned to various users and groups. Of course, one user can be a member of multiple groups, so at this point it's hard to say exactly what permissions apply to each individual user. To evaluate the NTFS permissions that apply to a user account, click the Advanced button. This will cause Windows to display the Advanced Security Settings properties sheet.
Open the properties sheet's Effective Permissions tab, click the Select button, and enter the name of the user or group whose permissions you want to evaluate. Click OK, and Windows will fill in the check boxes that correspond to the permissions that apply to the user or group you have selected. You can see an example of this in Figure A.
Although this may seem simple enough, using the Effective Permissions tool can also be frustrating at times. If all you want to do is verify the permissions that apply to a user or group, the tool usually works well. Things can become difficult though, when the effective NTFS permissions aren't what you were expecting.
There are two main reasons for this. First, the Effective Permissions tool only tells you what the effective permissions are -- not where those permissions come from. Therefore, if you end up having an unexpected set of effective permissions, you'll usually end up having to find out what groups the user belongs to and evaluate the permissions on each individual group to find out why the user has that permission set.
The other frustrating aspect of the Effective Permissions tool is that there are a lot of factors it doesn't take into account. The tool only looks at the NTFS permissions that are assigned to users and groups, and then makes an evaluation by combining any applicable permissions. On the surface, it would seem that if you are only interested in evaluating NTFS permissions (as opposed to share permissions), this is the only information that you need to worry about anyway. There are some situations, however, in which the way a user logs in makes a difference in how the permissions are applied.
So why does this happen? Well you have to remember that you are using an administrative account when you run the Effective Permissions tool. Since you're not actually logged in as the user whose permissions you are trying to determine, Windows makes a best guess approximation using the information that is available at that moment.
In case you're wondering, the Effective Permissions tool often produces different results depending on whether a user is logged on locally or remotely. For example, if a user is accessing an object remotely, then any local group memberships or other local privileges are completely ignored. Since the Effective Permissions tool doesn't know how a user will be logging in, it may report a different set of effective permissions than what might actually be applied in the real world.
On top of this, there are a number of well known SIDs that are not taken into account when the NTFS permissions are evaluated. The most well-known of these include:
- Anonymous Logon
- Batch, Creator Group
- Enterprise Domain Controllers
- Terminal Server User
- Other Organization
- This Organization
Unfortunately, there is no getting around the inaccuracies that are built into the Effective Permissions tool. I've found, however, that just knowing about the inaccuracies makes troubleshooting NTFS permission problems a whole lot easier.
ABOUT THE AUTHOR
Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award four times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and healthcare facilities, and was once a network administrator for Fort Knox. You can visit his personal Web site at www.brienposey.com.
This was first published in July 2009