How can I trace NTFS and Share Permissions to see why I can (or can't) write a file

I'm trying to track down WHY I can write in a folder that, by my best estimation, I should not be able to write. The folder is shared with "Everyone" has "Full Control", with the files being more restrictive. My best guess is there's some sort of sub-group membership that's allowing me to write, but the nesting of groups that exists in our Active Directory is pretty extensive.

Is there a tool, that will tell me which of the ACL entries allowed or disallowed my writing a file in a folder?

The Effective Permissions dialog is marginally helpful, but what I need is something like a "NTFS ACL Trace Tool", if such a thing exists.

hometoast

Posted 2012-03-12T11:49:01.827

Reputation: 433

Once you give a large group (like Everyone) permissive settings, smaller groups can only restrict that by using DENY permissions. You could be a member of a group that has few permissions, but unless you specifically DENIED a privilege, your de facto membership in the EVERYONE group will allow you to have access. – Joel Coehoorn – 2012-10-24T16:41:33.743

I don't quite remember what led me to ask this in the first place. But if I'm right, I think it was something silly like "OurDomain\All Users" were added to the Local "Users" group. something, for some reason group policy wouldn't let me (lowly developer) alter. – hometoast – 2012-10-24T16:55:16.437

Answers

Try AccessChk from sysinternals:

As a part of ensuring that they've created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.

Pretty sure it will work.

Jody

Posted 2012-03-12T11:49:01.827

Reputation: 372

1This seems to be a (very good) command line version of the Effective Permissions dialog within explorer. This doesn't tell me "why" nor "what set of ACLs matched to allow me access". – hometoast – 2012-03-12T12:42:48.333

ah. true. I'm not sure what you're looking for exists outside of MS documentation. My best advice would be to try to recreate the environment of the file outside the current structure, then add the permissions one by one, starting with the most restrictive until the file becomes writable. Don't forget sharing and security permissions are different. Good luck. – Jody – 2012-03-12T14:01:23.223

You should try using AccessEnum.

enter image description here

This will provide you with the different security principals that have read write and deny entries in the acl for both files and folders. its a free tool too.

After you run the report open it up and look at the unique entries for files and folders in question. and see the effective permissions from there. its fairly manually to do the lookup but by putting in the footwork you can get very specific info.

Winson

Posted 2012-03-12T11:49:01.827

Reputation: 51

It sounds like you expect Windows to narrow those broad permissions by only checking the most-narrow group. It doesn't work like that. NTFS permissions are determined like this:

Start with no access at all by default.
Build up all allow permissions from all groups into one large set of things you can do.
Take away all deny permissions from all groups (thus, a DENY anywhere will trump everything else).

So if you give the Everyone group full control, and only have allow permissions on your other groups, your de facto membership in the Everyone group will give you full access.

Joel Coehoorn

Posted 2012-03-12T11:49:01.827

Reputation: 26 787

If you are setting acls at smb share, then you have to set permissions at filesystem and in share menu. It's probably set to everyone only in share permissions.

week

Posted 2012-03-12T11:49:01.827

Reputation: 3 128