Determining Effective NTFS Permissions in Windows Server 2003

The ability to determine the effective NTFS permissions that apply to users or groups has always been a source of contention among network administrators. While operating systems like Novell NetWare have included such functionality for some time, it has always been difficult to determine which permissions are associated with a particular user for a specific resource in both NT 4 and Windows 2000. For example, a user may be a member of multiple groups, each of which has different NTFS permissions on a given file or folder. While this is not a huge issue in environments with a limited number of users or groups, it can be an unwieldy process if hundreds of different groups exist, each with different levels of nesting and different permissions allowed or denied.

To help to solve this problem, Microsoft has added a new interface feature within the Advanced properties of the Security tab for NTFS resources. This new tab, known as Effective Permissions, allows you to calculate the permissions that apply to a user or group based on their group membership and the different permissions applied. For example, let’s say that a user named Dan is directly granted the Allow Read and Execute permission for a folder called Marketing. However, the Dan user account is a member of the group Marketing Users granted the Allow Full Control permission, and the group Everyone, granted the Allow Read permission.

Based on the cumulative nature of NTFS permissions, the user Dan would be granted the effective permission Allow Full Control. While this example is fairly basic, production environments typically involve a much greater number of groups, with both allowed and denied permissions. In these cases, the Effective Permissions tab can greatly ease the burden of attempting to determine which permissions will or will not apply for a particular user.

To use the Effective Permissions tab, access the properties of a file or folder residing on an NTFS volume, click the Security tab, and then click the Advanced button. This opens the advanced security properties of the resource.

Clicking on the Effective Permissions tab displays its settings. This interface allows you to add a user or group for whom you want effective NTFS permission information displayed. For example, in this case I’ll choose the Dan user account, by clicking the Select button and then entering Dan in the Select User, Group of Computer window, also shown below.

After selecting Dan as the user for which effective permissions should be generated, the results are displayed in the lower portion of the screen, as shown below. Notice that all permissions apply to the Dan user account. This is because he is a member of the Marketing Users group, for which the Allow Full Control permission has been granted.

The Resultant Set of Policy (RSoP) Tool

The purpose of this article is not to provide you with an overview of all the new features of Windows Server 2003. Instead, in this article I have decided to concentrate on one important new tool that specifically deals with ‘results’, in this case with respect to group policy settings. In a followup article I will cover a new feature that allows the cumulative permissions that apply to users, groups, and computers to be easily obtained.

The new tool covered in this article is known as Resultant Set of Policy, or RSoP. Resultant Set of Policy is an administrative tool provided as an MMC snap-in that allows an administrator to easily gauge the cumulative group policy settings that apply to a user or computer. If you’ll recall from Windows 2000, group policy settings in a domain environment are usually set at three different levels, namely sites, domains, and OUs. While this model provides a great deal of flexibility, it can also make understanding the actual settings that apply to a user or computer difficult to discern.

For example, the first major issue is the order of group policy processing – site GPOs, followed by domain GPOs, followed by OU GPOs. At any given level, multiple policies may apply, in different orders according to manner in which they are ordered for a particular container. Confusing things further is the fact that certain policies can be blocked or set to no override, which impacts whether the policy settings can be changed or overwritten at a lower level, or whether they should be processed at all. Going a step further, GPOs can also be filtered through the use of permissions, allowing group policy settings to either be applied to users or computers within a container or not, according to your specific needs or requirements. When all is said and done, determining the actual settings that will ultimately apply to a user or computer can be at best difficult, if not impossible, especially in large environments.

To help circumvent this issue, Microsoft provided a utility in the Windows 2000 resource kit know as gpresult.exe. Essentially, this command-line utility was used to discern the exact policy settings that would apply to a user or computer once group policy processing was complete. Unfortunately, the long text-based output of the tool made it difficult to grasp exact settings, and as another tool buried on the resource kit, many administrators weren’t even aware of its existence. Gpresult.exe is now included as a built-in utility with Windows Server 2003, but most administrators will probably still feel more comfortable with the Resultant Set of Policy tool.

As mentioned earlier, RSoP is simply an MMC snap-in. It can added or removed from the list of available snap-ins.

Once added to an MMC console, the RSoP interface is fairly basic. Remember that the tool’s purpose is to provide you with the list of settings that will apply to a user or computer after all group policy settings that apply have been processed. In order to see this information, you simply right-click on the Resultant Set of Policy node and click Generate RSoP Data, as shown below. Ultimately, this will walk you through the Resultant Set of Policy Wizard, allowing you to choose the user or computer for which you want to view RSoP data.