Guest Prahalad Deshpande Posted July 6, 2007 Posted July 6, 2007 I am currently investigating how Effective Permissions calculations work on Windows. I am considering all the server versions of Windows however I restrict my discussion to Windows 2003 Server here as it has a tool to calculate the Effective Permissions. My domain scenario is as follows: Number of domains : 1 running on Win2k SP4 AS I create a new user in the domain say UserX and a new global group say GroupY and make UserX a member of GroupY. To experiment with I first assigned Everyone group full control on a particular directory and Authenticated Users only write control on the directory. Now according to Microsoft Everyone group includes Authenticated Users too. So whenever effective permissions are being calculated for Autenticated Users; we should expect Auth Users to have full control. However this does not happen.Instead Aut Users is shown as just having a "Write" permission assigned to them. Howevever if I create domain user and specify an ACE for the domain user on the folder saying that this domain user has "Read Permissions" ; the Effective permissions tab for this user shows that he has full control which is correct as the user gets the cumilative permissions of the Everyone group and the Authenticated Users group. Why is there a discrepancy between the results shown for Auth Users and results shown for the domain user? The same situation exists for any domain group too. The effective permissions calculation does not seem to taking into account that the NT Authority\Users group on the system that I am currently carrying out my experiments also contains the <DOMAIN NAME>\Domain Users group which in turn contains the Global group G I have created. Summarizing it seems like the effective permissions tool works perfectly for users but it appears that it works differently for groups. Can someone please help me out of this dilemma Thanks and Regards Prahalad
Recommended Posts