How Effective Permissions Are Determined

Applies To: Windows 7, Windows Server 2008 R2

Each object has a set of effective permissions associated with it. The Effective Permissions tab of the Advanced Security Settings property page lists the permissions that would be granted to the selected group or user based solely on the permissions granted directly through group membership. If you want to find out what permissions a user or group has on an object, you can use the Effective Permissions tool.

Factors that are used to determine effective permissions

The following are used to determine effective permissions:

  • Global group membership

  • Local group membership

  • Local permissions

  • Local privileges

  • Universal group membership

Factors that are not used to determine effective permissions

The following well-known security identifiers (SIDs) are not used to determine effective permissions:

  • Anonymous Logon

  • Batch, Creator Group

  • Dialup

  • Enterprise Domain Controllers

  • Interactive

  • Network

  • Proxy

  • Restricted

  • Remote

  • Service

  • System

  • Terminal Server User

  • Other Organization

  • This Organization

Also, share permissions are not part of the effective permissions calculation. Access to shares can be denied through share permissions even when access is allowed through NTFS permissions.

Factors that are not used for objects that are accessed remotely

The following are not used to determine effective permissions for objects that are accessed remotely:

  • Local group membership

  • Local privileges

  • Share permissions

Effective permissions are based on a local evaluation of the user's group membership, user privileges, and permissions. If the resource being queried is on a remote computer, the effective permissions displayed will not include permissions granted or denied to the user through the use of a local group on the remote computer.

Retrieving effective permissions

Accurate retrieval of the above information requires permission to read the membership information. If the specified user or group is a domain object, you must have permission to read the object's group information about the domain.

Important

When you use the Effective Permissions tab to determine the permissions that a user has for certain resources in a domain, the results that are displayed in the user interface may be inconsistent with the actual permissions of the user for that resource. This problem occurs when one of the following conditions is true:

  • You run the administrative tools remotely from the resource server.

  • The user account that you use to run the administrative tools is not in the same domain as the resource.

To avoid this problem, always check effective permissions locally on a computer that hosts the resource, and make sure that the administrative user account used to run the tool is in the same domain as the resource.

Here are some relevant default domain permissions:

  • Domain administrators have permission to read membership information about all objects.

  • Local administrators on a workstation or stand-alone server cannot read membership information for a domain user.

Effective Permissions tool

If you want to find out what permissions a user or group has on an object, you can use the Effective Permissions tool. It calculates the permissions that are granted to the specified user or group. The calculation includes the permissions in effect from group membership and any permissions inherited from the parent object. It looks up all domain and local groups in which the user or group is a member.

The Everyone group will always be included, as long as the selected user or group is not a member of the Anonymous Logon group.

Important

The Effective Permissions tool only produces an approximation of the permissions that a user has. The actual permissions the user has may be different because permissions can be granted or denied based on how a user logs on. This logon-specific information cannot be determined by the Effective Permissions tool if the user is not logged on; therefore, the effective permissions it displays reflect only those permissions specified by the user or group and not the permissions specified by the logon.
For example, if a user is connected to this computer through a shared folder, then the logon for that user is marked as a network logon. Permissions can be granted or denied to the Network well-known SID, which the connected user receives, so a user has different permissions when logged on locally than when logged on over a network.
For information about granting access for effective permissions, see article 331951 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=63270).

For information about using the Effective Permissions tool, see View Effective Permissions on Files and Folders.

Additional references