Determining Effective NTFS Permissions in Windows Server 2003

The ability to determine the effective NTFS permissions that apply to users or groups has always been a source of contention among network administrators. While operating systems like Novell NetWare have included such functionality for some time, it has always been difficult to determine which permissions are associated with a particular user for a specific resource in both NT 4 and Windows 2000. For example, a user may be a member of multiple groups, each of which has different NTFS permissions on a given file or folder. While this is not a huge issue in environments with a limited number of users or groups, it can be an unwieldy process if hundreds of different groups exist, each with different levels of nesting and different permissions allowed or denied.

To help to solve this problem, Microsoft has added a new interface feature within the Advanced properties of the Security tab for NTFS resources. This new tab, known as Effective Permissions, allows you to calculate the permissions that apply to a user or group based on their group membership and the different permissions applied. For example, let’s say that a user named Dan is directly granted the Allow Read and Execute permission for a folder called Marketing. However, the Dan user account is a member of the group Marketing Users granted the Allow Full Control permission, and the group Everyone, granted the Allow Read permission.

Based on the cumulative nature of NTFS permissions, the user Dan would be granted the effective permission Allow Full Control. While this example is fairly basic, production environments typically involve a much greater number of groups, with both allowed and denied permissions. In these cases, the Effective Permissions tab can greatly ease the burden of attempting to determine which permissions will or will not apply for a particular user.

To use the Effective Permissions tab, access the properties of a file or folder residing on an NTFS volume, click the Security tab, and then click the Advanced button. This opens the advanced security properties of the resource.

Clicking on the Effective Permissions tab displays its settings. This interface allows you to add a user or group for whom you want effective NTFS permission information displayed. For example, in this case I’ll choose the Dan user account, by clicking the Select button and then entering Dan in the Select User, Group of Computer window, also shown below.

After selecting Dan as the user for which effective permissions should be generated, the results are displayed in the lower portion of the screen, as shown below. Notice that all permissions apply to the Dan user account. This is because he is a member of the Marketing Users group, for which the Allow Full Control permission has been granted.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.