User With Modify Permission Able to Add Users to ACL?

[Guest Will]

Is there a utility that will show which ACLs (chaining up from the current

folder location) is the one that is responsible for each effective

permission a user has on a file or folder?

 

I have always understood that Modify permission in an ACL only gives the

user the ability to change data, and not the ACL itself. Changing the ACL

itself requires Full Control permission. I have a user with Modify

access to a folder who is somehow able to add new users into the ACL.

When you look at Effective permissions he does have the "Change Permission"

permission. The thing we cannot figure out is where is this being

inherited from.

 

--

Will

[Guest Haoqiang]

RE: User With Modify Permission Able to Add Users to ACL?

 

You can download a tool named perms.exe from microsoft website.

 

 

"Will" wrote:

> Is there a utility that will show which ACLs (chaining up from the current

> folder location) is the one that is responsible for each effective

> permission a user has on a file or folder?

>

> I have always understood that Modify permission in an ACL only gives the

> user the ability to change data, and not the ACL itself. Changing the ACL

> itself requires Full Control permission. I have a user with Modify

> access to a folder who is somehow able to add new users into the ACL.

> When you look at Effective permissions he does have the "Change Permission"

> permission. The thing we cannot figure out is where is this being

> inherited from.

>

> --

> Will

>

>

>

[Guest Will]

Re: User With Modify Permission Able to Add Users to ACL?

 

That's not what I am looking for. Perms appears to just dump permissions

of files in the specified folder.

 

I'm looking for something more in the spirit of the wonderful group policy

tool "resultant set of policies" (RSOP) that shows you for any given policy

which group policy made the setting. In terms of ACL security settings,

the tool I am looking for would traverse the inheritance path of folders and

file and determine which of the current - or inherited - ACL settings

accounts for a given effective permission.

 

--

Will

 

 

"Haoqiang" <Haoqiang@discussions.microsoft.com> wrote in message

news:69350EBA-2E63-4225-B133-6152A5A3FE21@microsoft.com...

> You can download a tool named perms.exe from microsoft website.

>

>

> "Will" wrote:

>

>> Is there a utility that will show which ACLs (chaining up from the

>> current

>> folder location) is the one that is responsible for each effective

>> permission a user has on a file or folder?

>>

>> I have always understood that Modify permission in an ACL only gives the

>> user the ability to change data, and not the ACL itself. Changing the

>> ACL

>> itself requires Full Control permission. I have a user with Modify

>> access to a folder who is somehow able to add new users into the ACL.

>> When you look at Effective permissions he does have the "Change

>> Permission"

>> permission. The thing we cannot figure out is where is this being

>> inherited from.

>>

>> --

>> Will

>>

>>

>>

[Guest Special Access]

Re: User With Modify Permission Able to Add Users to ACL?

 

On Mon, 28 Jul 2008 22:48:09 -0700, "Will" <westes-usc@noemail.nospam>

wrote:

>That's not what I am looking for. Perms appears to just dump permissions

>of files in the specified folder.

>

>I'm looking for something more in the spirit of the wonderful group policy

>tool "resultant set of policies" (RSOP) that shows you for any given policy

>which group policy made the setting. In terms of ACL security settings,

>the tool I am looking for would traverse the inheritance path of folders and

>file and determine which of the current - or inherited - ACL settings

>accounts for a given effective permission.

 

Have you looked at Dumpsec? It is supposed to dump permssions as well

for file and folders, along with other functions.

 

http://www.somarsoft.com/

 

Mike