Re: Effective Permissions on domain and organizational unit

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

The effective permissions do not mean anything unless you look at them on an
actual domain controller.

Well before I posted anything to this site I check all the nested groups and
group membership etc. Only after I posted did I think to try to look at the
permissions on a DC. The effective permisisons are totally erroneous when
looking at them from any XP system.

"Joe Richards [MVP]" wrote:

I take it you have created a group called desktopadmins?

You need to look at every group that that group may be nested in and
then chase the memberships each of those groups has. That will be the
true effective permissions.

The builtin effective permissions tool can be misleading. There are
issues with some types of groups that you won't get unless actually
logged in with a user in that group and it can look at the resulting
security token. Consider effective permissions as best guess only.



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Karen wrote:
I have an interesting problem with "effective permissions" at the domain
level in our AD environment.

When looking at the Security tab at the domain level the group,
DesktopAdmins is not listed, not even when I look at the Advanced
permissions. However, if i use the "effective permissions" tab at the domain
level and type in the name, DesktopAdmins, not only is the group listed but
it has WAY more permissions than it should.

I have looked at all groups that DesktopAdmins is a member of and none of
them have the level of permissions it has.
I have also looked at Group Policy and can't find where this group was given
this level of permission.

Since I can't figure out where DesktopAdmins got all of its permissions then
I can't remove the permissions.



.

Relevant Pages

  • Re: Effective Permissions on domain and organizational unit
    ... The builtin effective permissions tool can be misleading. ... When looking at the Security tab at the domain level the group, DesktopAdmins is not listed, not even when I look at the Advanced permissions. ... However, if i use the "effective permissions" tab at the domain level and type in the name, DesktopAdmins, not only is the group listed but it has WAY more permissions than it should. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Scripting Effective Permissions
    ... Last one is more scripting, and syntax can be a bit tricky and complex in ... I've got a bit of an issue with permissions and was hoping someone can ... it's sub folders. ... By 'effective permissions', I mean the ...
    (microsoft.public.security)
  • Re: share level & ntfs permissions
    ... that was very useful info about the effective permissions ... access the share over the network thru my network places on my win xp pro ... and full control ntfs permissions). ... Create a folder named Testing on the Windows 2K3 DC ...
    (microsoft.public.windows.file_system)
  • Re: a problem with NTFS-permissions
    ... Apparently effective permissions does not always show the exact permissions ... the issue might be that a folder higher in the tree has ... delete subfolders and files applied to it, or full control, which allows ...
    (microsoft.public.windows.server.general)
  • Re: Permissions question
    ... I am not sure how the UI calculates the effective permissions. ... look at the Test group's permission on the folder. ... this is the expected behavior. ...
    (microsoft.public.cert.exam.mcse)