Effective Permissions tool

If you would like to find out what permissions a user or group has on an object, you can use the Effective Permissions tool. It calculates the permissions that are granted to the specified user or group. The calculation takes the permissions in effect from group membership into account, as well as any permissions inherited from the parent object. It looks up all domain and local groups in which the user or group is a member.

The Everyone group will always be included, as long as the selected user or group is not a member of the Anonymous Logon group. In the Windows Server 2003 family, the Everyone group no longer includes Anonymous Logon.

Important

• The Effective Permissions tool only produces an approximation of the permissions that a user has. The actual permissions the user has may be different, since permissions can be granted or denied based on how a user logs on. This logon-specific information cannot be determined by the Effective Permissions tool, since the user is not logged on; therefore, the effective permissions it displays reflect only those permissions specified by the user or group and not the permissions specified by the logon.
  
  For example, if a user is connected to this computer via a file share, then the logon for that user is marked as a network logon. Permissions can be granted or denied to the well-known security ID (SID) Network which the connected user receives, so a user has different permissions when logged on locally than when logged on over a network. For information about shared folders and share permissions, see Shared Folders and Share permissions.

  For information about granting access for effective permissions, see article Q331951 in the Microsoft Knowledge Base.(http://support.microsoft.com/)

Factors that are used to determine effective permissions

• Global group membership
• Local group membership
• Local permissions
• Local privileges

Factors that are not used to determine effective permissions

The following well-known SIDs that are available in the Windows Server 2003 family are not used to determine effective permissions:

• Anonymous Logon
• Batch, Creator Group
• Dialup
• Enterprise Domain Controllers
• Interactive
• Network
• Proxy
• Restricted
• Remote
• Service
• System
• Terminal Server User
• Other Organization
• This Organization

Also, share permissions are not part of the effective permissions calculation. Access to shares can be denied through share permissions even when access is allowed through NTFS permissions.

Factors that are not used for objects that are accessed remotely

• Local group membership
• Local privileges
• Share permissions

Retrieving effective permissions

Accurate retrieval of the above information requires permission to read the membership information. If the specified user or group is a domain object, you must have permission to read the object's group information on the domain. Here are some relevant default domain permissions:

• Domain administrators have permission to read membership information on all objects.
• Local administrators on a workstation or stand-alone server cannot read membership information for a domain user.
• Authenticated domain users can only read membership information when the domain is in Pre-Windows 2000 compatibility mode.

For more information, see To view effective permissions on files and folders and Security identifiers.