Check 'effective permissions', 'effective access' from command-line, Windows/NTFS
My preferred method for doing this is to use a non-native PowerShell Module NTFSSecurity available in the PowerShell Gallery.
You can install the module from most modern Windows Powershell windows by running
Install-Module -Name NTFSSecurity -RequiredVersion 4.2.3
In order to retrieve the Effective Access, you would run the following command:
Get-NTFSEffectiveAccess -Path \\path\to\UNC\file -Account <samaccountname>
It will work on local paths as well; the output takes the following format:
Path: \\path\to\UNC\file (Inheritance disabled)
Account Access Rights Applies to Type IsInherited InheritedFrom
------- ------------- ---------- ---- ----------- -------------
DOMAIN\user FullControl ThisFolderOnly Allow False
Related videos on Youtube
05 : 12
39 : 14
07 : 14
07 : 06
01 : 16 : 52
gregg
Been in the IT industry 10yr doing general tech support, couple years as sysadmin. Mostly small/medium size businesses, but I have a stint in HP enterprise support. I like doing a bit of everything. I take pride in consuming technical documentation & translating it into user-friendly info; I think computers can do something for everyone! Thanks to everyone contributing to StackExchange: quick accurate answers without sass (mostly)!
Updated on September 18, 2022Comments
-
gregg over 1 year
How do I mimic Advanced Security Settings 'Effective Access' tab in command line (Win10 notably)? Prefer built-in tools, I'm about to evaluate if sysinternals AccessChk can accomplish this
icacls only shows domain groups given permission to this folder, so how can I check an individual user? A logical answer might be use
net user gregg /domainto validate if the user-in-question is part of the domain group given permission to that folder. Would those two steps give all the info 'Effective Access' would give?Background info:
- I'm a sysadmin with two domain accounts (one normal/limited, one domain admin). So when someone says they can't access a file I have to remote into server to get admin access to use 'effective access' which is kind of inconvenient. Can I somehow do that with RSAT tools?
- Our network drive folders each have unique permissions that used domain user groups. Management staff sometimes move files from a secure location to a less-secure (everyone has access) folder, but the secure permissions follow it causing trouble for other staff. Permissions are handled differently when you copy vs move/cut (see kb310316 or this blog post), but good luck explaining that to an end user since I've just slowly grasped the concept
Related questions:
-
LeeM over 4 yearsIf your users have Full Control over any NTFS directories, remove it. At most, they should be set to Modify. Assuming you set up your top-level directories so that permissions are inherited to all child files and folders, any such moves should not create this problem with odd permissions. by default files will inherit permissions at the destination folder. If you're copying files via xcopy or robocopy, stop using
xcopy /x /oorrobocopy /sec,/datsor/copyallswitches -
LeeM over 4 yearsAlso, for having to use your admin account to connect to a separate system, this is actually best practice. Look up "golden ticket exploits" to give yourself a fright. However, connecting to multiple boxes can be painful - if you have enough systems to maintain, perhaps consider asking for a "jump server" that you can log into with your admin account to maintain other systems
-
LeeM over 4 yearsI just want to endorse this module as being highly preferable to trying to roll your own, even with general NTFS permissions management in Powershell
