Use "Effective Permissions" tab on Advanced to check them

From: Gordon Fecyk (gordonf_at_pan-am.ca)
Date: 03/11/05


Date: Thu, 10 Mar 2005 17:25:20 -0600


> The behavior is as follows:
> When applying permissions to a file that removes inheritance of other
ACE's
> and adds permissions that allow full access for say "user1" and denys all
> access for "user2". Now it is not possible to move/copy/rename this file,
> however _deleting_ always works. Despite user2 not being of an
administrator
> group, not being the owner or having any rights to the file.
>
> I've seen this behavior on the latest sp for windows xp and back to
windows
> 2000, don't know about NT 4.0..

If it's XP and you have "Simple File Sharing" turned off (or are using Safe
Mode), you can view the effective permissions on a file after taking
inherited permissions and groups into account. Look for the "effective
permissions" tab on the Advanced Security windows, and have it check a user
or group to determine what their permissions are on the file or folder.

-- 
PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc>
Prevent problems before they happen and help others avoid bad design.
<http://www.pan-am.ca/antiwindowscatalog/>


Relevant Pages

  • Re: ADAM And ACLs
    ... The ACLs for the OU which is the parent of the object below are: ... Effective Permissions on this object are: ... SPECIAL ACCESS ... for the naming context and is usually present by inheritance, ...
    (microsoft.public.windows.server.active_directory)
  • Re: NTFS inherited permissions bug on W2K
    ... NTFS inherited permissions bug on W2K ... >> Inheritance has always been present in NT. ... >actually copied to the inherited objects' ACLs). ...
    (NT-Bugtraq)
  • Re: Strange effect with inheritence flags on Windows XP and NT 4
    ... Look at the permissions from Windows XP and the folder doesn't appear to ... inheritance (an object's effective permissions change as the parent ...
    (microsoft.public.windows.server.security)
  • Re: AD User Objects & Permission Inheritance
    ... I went ahead and granted the Account Operators built in group rights on the adminSDholder object according to what I want the OU admins to have. ... I went ahead and enabled inheritance on the> adminSDholder object to verify that this indeed was the cause and 60> minutes ... > later all user objects began to inherit permissions again. ...
    (microsoft.public.win2000.active_directory)
  • Re: Permissions resetting in Blocked Inheritance OUs
    ... If the ACL that is on the AdminSDHolder object is ... Delegated permissions are not available and inheritance is automatically ... "You do not have sufficient permissions in the Domain" error message occurs ... This user account is in an OU that has Blocked ...
    (microsoft.public.windows.server.active_directory)