Getting Results, Part 2: Determining Effective NTFS Permissions in Windows Server 2003
The first part of this two-part series on new features in Windows Server 2003 looked at the new Resultant Set of Policy (RSoP) tool, which allows a system administrator to generate data about the exact group policy settings that apply to an individual user or computer based on configured GPOs. Thankfully, the RSoP snap-in isn't the only new feature in Windows Server 2003 that makes an administrator's life significantly easier.With the release of Windows Server 2003 on the horizon, enterprises and systems administrators are examining what this new operating system has to offer. In the second of this two-part series, Dan DiNicolo examines a new interface feature that enables the administrator to calculate permissions that apply to a user or group based on group membership and the different permissions applied.
With Windows Server 2003 Microsoft has also introduced a feature that enables the effective NTFS permissions that apply to a user or group to be gathered in a quick and effective manner.
The ability to determine the effective NTFS permissions that apply to users or groups has always been a source of contention among network administrators. While operating systems like Novell NetWare have included such functionality for some time, it has always been difficult to determine which permissions are associated with a particular user for a specific resource in both NT 4 and Windows 2000. For example, a user may be a member of multiple groups, each of which has different NTFS permissions on a given file or folder. While this is not a huge issue in environments with a limited number of users or groups, it can be an unwieldy process if hundreds of different groups exist, each with different levels of nesting and different permissions allowed or denied.
To help to solve this problem, Microsoft added a new interface feature within the Advanced properties of the Security tab for NTFS resources. This new tab, known as Effective Permissions, allows the network administrator to calculate the permissions that apply to a user or group based on his or her group membership and the different permissions applied.
For example, a user named Dan is directly granted the Allow Read and Execute permission for a folder called Marketing. However, the Dan user account is a member of the group Marketing Users, which is granted the Allow Full Control permission, and the group Everyone, which granted the Allow Read permission, as illustrated below.Note: The screen shots in this article are all based on a pre-release version of Windows Server 2003. Although some of the screen-shot details may change in the final release, the functionality of the Effective Permissions feature should be largely the same.
Based on the cumulative nature of NTFS permissions, the user Dan would be granted the effective permission Allow Full Control. This example is fairly basic, and production environments typically involve a much greater number of groups, with both allowed and denied permissions. In these cases, the Effective Permissions tab can greatly ease the burden of attempting to determine which permissions will or will not apply for a particular user.
To use the Effective Permissions tab, access the properties of a file or folder residing on an NTFS volume, click the Security tab, and then click the Advanced button. This opens the advanced security properties of the resource, as shown below.
Clicking on the Effective Permissions tab displays its settings, as shown below. This interface allows you to add a user or group for whom you want effective NTFS permission information displayed. For example, we'll again choose the Dan user account, by clicking the Select button and then entering Dan in the Select User, Group of Computer window, also shown below.
After selecting Dan as the user for which effective permissions should be generated, the results are displayed in the lower portion of the screen, as shown below. Notice that all permissions apply to the Dan user account. This is because he is a member of the Marketing Users group, for which the Allow Full Control permission has been granted.
Taking things a step further, suppose we want to explore the effective permissions associated with the Everyone group. Instead of supplying the username, in this case the group name is supplied . Recall that the Everyone group has been granted the Allow Read permission only. In this case, notice that the permission list is significantly more restricted and lists only the special permissions associated with the standard Read permission, as shown below.
This same process can be used for any user or group for which you require effective permissions information.
Unfortunately, the effective permission feature is not without inherent faults. First and foremost, the tool does nothing to assess the impact of any shared folder permissions that may apply, and, as such, the results the tool provides may not be accurate based on the particular settings. Second, the tool determines effective permissions based only on the user or group membership, and not on the method of logon. So although most users log on to a system interactively, the permissions associated with resource access may be impacted by permissions applied to system groups like Network. Thus, a user's effective permissions that are full control on the local system based on membership may be further restricted by permissions applied to the Network group.
In fact, none of the following system groups are used as part of determining the effective permissions of a user or group:
- Anonymous Logon
- Batch, Creator Group
- Enterprise Domain Controllers
- Terminal Server User
Because of this, the Windows Server 2003 documentation states that the Effective Permission feature provides only an approximation of the real effective permissions that apply to a user. While this is certainly not perfect, the model Microsoft has used to implement security (and the manner in which this data is stored) make it difficult to get an exact reading on things like effective permissions. However, for almost all system administrators, the inclusion of such a tool in Windows Server 2003 will help to save some of the time, energy, and frustration previously experienced when trying to calculate the impact of different NTFS permissions, especially in large environments.