How Effective Permissions Are Determined
Applies To: Windows Server 2008
Each object has a set of effective permissions associated with it. The Effective Permissions tab of the Advanced Security Settings property page lists those permissions that would be granted to the selected group or user based solely on the permissions granted directly through group membership. If you would like to find out what permissions a user or group has on an object, you can use the Effective Permissions Tool.
Factors That are Used to Determine Effective Permissions
Global group membership
Local group membership
Universal group membership
Factors That are not Used to Determine Effective Permissions
The following well-known security identifiers (SIDs) are not used to determine effective permissions:
Batch, Creator Group
Enterprise Domain Controllers
Terminal Server User
Also, share permissions are not part of the effective permissions calculation. Access to shares can be denied through share permissions even when access is allowed through NTFS permissions.
Factors That are not Used for Objects That are Accessed Remotely
Local group membership
Effective Permissions evaluates the user's group membership, user privileges, and permissions locally. If the resource being queried is on a remote computer, the effective permissions displayed will not include permissions granted or denied to the user through the use of a local group on the remote computer.
Retrieving Effective Permissions
Accurate retrieval of the above information requires permission to read the membership information. If the specified user or group is a domain object, you must have permission to read the object's group information about the domain. Here are some relevant default domain permissions:
Domain administrators have permission to read membership information about all objects.
Local administrators on a workstation or stand-alone server cannot read membership information for a domain user.
Authenticated domain users can only read membership information when the domain is in Pre-Windows 2000 compatibility mode.
Effective Permissions Tool
If you would like to find out what permissions a user or group has on an object, you can use the Effective Permissions tool. It calculates the permissions that are granted to the specified user or group. The calculation takes the permissions in effect from group membership into account, as well as any permissions inherited from the parent object. It looks up all domain and local groups in which the user or group is a member.
The Everyone group will always be included, as long as the selected user or group is not a member of the Anonymous Logon group.
The Effective Permissions tool only produces an approximation of the permissions that a user has. The actual permissions the user has may be different, since permissions can be granted or denied based on how a user logs on. This logon-specific information cannot be determined by the Effective Permissions tool, since the user is not logged on; therefore, the effective permissions it displays reflect only those permissions specified by the user or group and not the permissions specified by the logon.
For example, if a user is connected to this computer through a shared folder, then the logon for that user is marked as a network logon. Permissions can be granted or denied to the well-known security ID (SID) Network which the connected user receives, so a user has different permissions when logged on locally than when logged on over a network.
For information about granting access for effective permissions, see article 331951 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=63270).
For information about using the Effective Permissions tool, see View Effective Permissions on Files and Folders.