Testing the Effect of Permissions
Because file and folder permissions can come from a variety of settings, it's sometimes difficult to figure out exactly what each user can and can't do with a given file or folder. As a general rule, you can figure out effective permissions by combining all the NTFS permissions assigned to an individual user account and to all of the groups to which that user belongs. Thus, if a user has Read & Execute permission for a folder set through her user account and is also a member of a group that has been assigned Write permissions for that folder, she has both Read and Write permissions for the folder.
On a scale of complexity, calculating effective permissions is more difficult than programming a VCR and only slightly less taxing than quantum physics. Fortunately, Windows XP Professional includes a new tool that does the calculations for you. To see what the effect of all NTFS permissions will be on a given user or group, follow these steps:
- Right-click the file or folder in question, and then choose Properties.
- On the Security tab, click Advanced and then click the Effective Permissions tab.
- Click Select to open the Select User Or Group dialog box.
- Enter the name of the user or group for which you want to check effective permissions, and then click OK.
Note Anyone who's ever struggled to figure out Windows 2000 permissions will really appreciate the Effective Permissions dialog box in Windows XP. It's a wonderful addition, and if you're going to use NTFS permissions you should learn its ins and outs. Unfortunately, it also includes one potentially confusing interface element. The Group Or User Name box looks like a place to enter text directly, but it doesn't work that way in practice. You have to display the Select User Or Group dialog box to enter a name.
The resulting dialog box shows the effective permissions that apply to the user or group you selected. These permissions are presented using the complete list of available permissions from the Advanced Security Settings dialog box, which are far more detailed than those shown on the Security tab. This level of detail can be difficult to decipher, but it's crucial in identifying subtle changes that can compromise security.
The effective permissions calculation looks up all local and domain groups to which a user or group belongs and takes those permissions into account in its summary. A check mark identifies permissions that have been assigned. The resulting display is a snapshot of permissions based on other settings. You can't change any permissions from this dialog box.
Note The effective permissions calculation does not include the Anonymous Logon or Authenticated Users group, nor does it include settings granted because a user is the Creator Owner of an object. In addition, the calculation does not consider whether you're logging on interactively or over a network. If you've customized any of these permissions, you'll need to account for the differences.
In this tutorial:
- Securing Files and Folders
- How Setup Decisions Dictate Your Security Options
- Simple File Sharing vs. Advanced Permissions
- How Simple File Sharing Works
- Default Locations for Shared Files
- Keeping Your Own Files Private
- Controlling Access with NTFS Permissions
- Applying Advanced Security Settings
- Entering Group and User Names
- Working with Built-in Users and Groups
- Applying Permissions to Subfolders Through Inheritance
- Testing the Effect of Permissions
- Using Special Permissions
- Setting Permissions from a Command Prompt
- Taking Ownership of Files and Folders
- Troubleshooting Permissions Problems