6. Determining the Effective Permissions and Troubleshooting
NTFS permissions
are complex and can be difficult to manage. Sometimes a change—even a
very minor one—can have unintended consequences. Users might suddenly
find that they are denied access to files they could previously access
or that they have access to files to which access should never have
been granted. In either scenario, something has gone wrong with
permissions. You have a problem, and you need to fix it.
You should start troubleshooting these or other problems with
permissions by determining the effective permissions for the files or
folders in question. As the name implies, the effective permissions
tell you exactly which permissions are in effect with regard to a
particular user or group. The effective permissions are important because they enable you to quickly determine the cumulative set of permissions that apply.
For a user, the effective permissions
are based on all the permissions the user has been granted or denied,
no matter whether the permissions are applied explicitly or obtained
from groups of which the user is a member. For example, if JimB is a
member of the Users, Sales, Marketing, SpecTeam, and Managers groups,
the effective permissions on a file or a folder is the cumulative set
of permissions that JimB has been explicitly assigned and the
permissions assigned to the Users, Sales, Marketing, SpecTeam, and
Managers groups. If JimB is a member of a group that is specifically
denied a permission, JimB will be denied that permission as well, even
if another group is allowed that permission. This occurs because deny
entries have precedence over allow entries.
The same is true for user and device claims. If you’ve configured a
claims-based policy and added a user claim, that user claim can prevent
access. Similarly, if there’s a device claim, that device claim can
prevent access.
To determine the effective permissions for a user or a group with regard to a file or folder, complete the following steps:
-
In File Explorer, press and hold or right-click the file or folder
you want to work with, and then tap or click Properties. In the
Properties dialog box, tap or click the Security tab, and then tap or
click Advanced.
-
In the Advanced Security Settings dialog box, tap or click the
Effective Access tab. Use the options provided to determine the
effective permissions for users, groups, and devices. Keep the
following in mind:
-
If you only want to determine access for a particular user or user
group, tap or click Select A User, type the name of the user or group,
and then tap or click OK.
-
If you only want to determine access for a particular device or
device group, tap or click Select A Device, type the name of the device
or the device group, and then tap or click OK.
-
If you want to determine access for a particular user or user group
on a particular device or in a device group, specify both a user/user
group and a device/device group.
-
Tap or click View Effective Access. The effective permissions for
the specified user or group are displayed using the complete set of
special permissions. If a user has full control over the selected
resource, he or she will have all the permissions, as shown in Figure 8.
Otherwise, a subset of the permissions is selected, and you have to
carefully consider whether the user or group has the appropriate
permissions. Use Table 3,to help you interpret the permissions.
Note
You must have appropriate permissions to view the effective permissions
of any user or group. It is also important to remember that you cannot
determine the effective permissions for implicit groups or special
identities, such as Authenticated Users or Everyone. Furthermore, the
effective permissions do not take into account those permissions
granted to a user because he or she is the Creator Owner.
