How Effective Permissions Are Determined
Applies To: Windows 7, Windows Server 2008 R2
Each object has a set of effective permissions associated with it. The Effective Permissions tab of the Advanced Security Settings property page lists the permissions that would be granted to the selected group or user based solely on the permissions granted directly through group membership. If you want to find out what permissions a user or group has on an object, you can use the Effective Permissions tool.
Factors that are used to determine effective permissions
The following are used to determine effective permissions:
Global group membership
Local group membership
Universal group membership
Factors that are not used to determine effective permissions
The following well-known security identifiers (SIDs) are not used to determine effective permissions:
Batch, Creator Group
Enterprise Domain Controllers
Terminal Server User
Also, share permissions are not part of the effective permissions calculation. Access to shares can be denied through share permissions even when access is allowed through NTFS permissions.
Factors that are not used for objects that are accessed remotely
The following are not used to determine effective permissions for objects that are accessed remotely:
Local group membership
Effective permissions are based on a local evaluation of the user's group membership, user privileges, and permissions. If the resource being queried is on a remote computer, the effective permissions displayed will not include permissions granted or denied to the user through the use of a local group on the remote computer.
Retrieving effective permissions
Accurate retrieval of the above information requires permission to read the membership information. If the specified user or group is a domain object, you must have permission to read the object's group information about the domain.
When you use the Effective Permissions tab to determine the permissions that a user has for certain resources in a domain, the results that are displayed in the user interface may be inconsistent with the actual permissions of the user for that resource. This problem occurs when one of the following conditions is true:
- You run the administrative tools remotely from the resource server.
- The user account that you use to run the administrative tools is not in the same domain as the resource.
Here are some relevant default domain permissions:
Domain administrators have permission to read membership information about all objects.
Local administrators on a workstation or stand-alone server cannot read membership information for a domain user.
Effective Permissions tool
If you want to find out what permissions a user or group has on an object, you can use the Effective Permissions tool. It calculates the permissions that are granted to the specified user or group. The calculation includes the permissions in effect from group membership and any permissions inherited from the parent object. It looks up all domain and local groups in which the user or group is a member.
The Everyone group will always be included, as long as the selected user or group is not a member of the Anonymous Logon group.
The Effective Permissions tool only produces an approximation of the permissions that a user has. The actual permissions the user has may be different because permissions can be granted or denied based on how a user logs on. This logon-specific information cannot be determined by the Effective Permissions tool if the user is not logged on; therefore, the effective permissions it displays reflect only those permissions specified by the user or group and not the permissions specified by the logon.
For example, if a user is connected to this computer through a shared folder, then the logon for that user is marked as a network logon. Permissions can be granted or denied to the Network well-known SID, which the connected user receives, so a user has different permissions when logged on locally than when logged on over a network.
For information about granting access for effective permissions, see article 331951 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=63270).
For information about using the Effective Permissions tool, see View Effective Permissions on Files and Folders.