3

How do I mimic Advanced Security Settings 'Effective Access' tab in command line (Win10 notably)? Prefer built-in tools, I'm about to evaluate if sysinternals AccessChk can accomplish this

icacls only shows domain groups given permission to this folder, so how can I check an individual user? A logical answer might be use net user gregg /domain to validate if the user-in-question is part of the domain group given permission to that folder. Would those two steps give all the info 'Effective Access' would give?

Background info:

  • I'm a sysadmin with two domain accounts (one normal/limited, one domain admin). So when someone says they can't access a file I have to remote into server to get admin access to use 'effective access' which is kind of inconvenient. Can I somehow do that with RSAT tools?
  • Our network drive folders each have unique permissions that used domain user groups. Management staff sometimes move files from a secure location to a less-secure (everyone has access) folder, but the secure permissions follow it causing trouble for other staff. Permissions are handled differently when you copy vs move/cut (see kb310316 or this blog post), but good luck explaining that to an end user since I've just slowly grasped the concept

Related questions:

Improve this question
2
  • If your users have Full Control over any NTFS directories, remove it. At most, they should be set to Modify. Assuming you set up your top-level directories so that permissions are inherited to all child files and folders, any such moves should not create this problem with odd permissions. by default files will inherit permissions at the destination folder. If you're copying files via xcopy or robocopy, stop using xcopy /x /o or robocopy /sec, /dats or /copyall switches
    – LeeM
    Commented Feb 13, 2020 at 5:55
  • Also, for having to use your admin account to connect to a separate system, this is actually best practice. Look up "golden ticket exploits" to give yourself a fright. However, connecting to multiple boxes can be painful - if you have enough systems to maintain, perhaps consider asking for a "jump server" that you can log into with your admin account to maintain other systems
    – LeeM
    Commented Feb 13, 2020 at 5:57

1 Answer 1

Reset to default
2

My preferred method for doing this is to use a non-native PowerShell Module NTFSSecurity available in the PowerShell Gallery.

You can install the module from most modern Windows Powershell windows by running

Install-Module -Name NTFSSecurity -RequiredVersion 4.2.3

In order to retrieve the Effective Access, you would run the following command:

Get-NTFSEffectiveAccess -Path \\path\to\UNC\file -Account <samaccountname>

It will work on local paths as well; the output takes the following format:

 Path: \\path\to\UNC\file (Inheritance disabled)

Account      Access Rights     Applies to      Type     IsInherited     InheritedFrom
-------      -------------     ----------      ----     -----------     -------------
DOMAIN\user  FullControl       ThisFolderOnly  Allow    False
Improve this answer
1
  • 1
    I just want to endorse this module as being highly preferable to trying to roll your own, even with general NTFS permissions management in Powershell
    – LeeM
    Commented Feb 13, 2020 at 5:47

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .