Determining Effective NTFS Permissions in Windows Server 2003

Taking things a step further, I want to explore the effective permissions associated with the Everyone group. Instead of supplying the username, in this case I supply the group name. Recall that the Everyone group has been granted the Allow Read permission only. In this case, notice that the permission list is significantly more restricted, listing only the special permissions associated with the standard Read permission, as shown below. This same process can be used for any user or group for which you require effective permissions information.

Unfortunately, the effective permission feature is not without inherent faults. First and foremost, the tool does nothing to assess the impact of any shared folder permissions that may apply, and as such, the results the tool provides may not be accurate based on your particular settings. Secondly, the tool only determines effective permissions based on the user or group membership, and not on the method of logon. For example, although most users logon to a system interactively, the permissions associated with resource access may be impacted by permissions applied to system groups like Network. Because of this, a user’s effective permissions might be full control on the local system based on membership, but may be further restricted by permissions applied to the Network group.

In fact, none of the system groups (Batch, Dialup, System, Network, etc) are used as part of determining the effective permissions of a user or group.

Because of this, the Windows Server 2003 documentation states that the Effective Permission feature provides only an approximation of the real effective permissions that apply to a user. While this is certainly not perfect, the model which Microsoft has used to implement security (and the manner in which this data is stored) make it difficult to get an exact reading on things like effective permissions. However, for almost all system administrators, the inclusion of such a tool in Windows Server 2003 will help to save some of the time, energy, and frustration experienced in the past when trying to calculate the impact of different NTFS permissions, especially in large environments.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of 2000Trainers.com. He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.