Announcement

Collapse
No announcement yet.

Effective Permissions Wizard

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Effective Permissions Wizard

    We're getting unpredictable results from the Effective Permissions wizard in the Security/Advanced tab for files and folders. We get different results for each of the following scenarios:

    1. If the person testing is a Domain Admin in another domain who has domain admin rights in the current domain via group memberships.

    2. If the person testing is a Domain Admin in the current domain (this gives the "correct" results).

    3. If the machine you perform the test on is in a different domain to the machine with the files on.

    4. If you're not a Domain Admin at all.

    5. If you're not a Domain Admin and the "Administrators" group is in the ACL for the file.

    The only one that gives CORRECT results and shows the permissions the user being tested ACTUALLY has, is scenario 2. Does anyone know if this is SUPPOSED to happen, or if it's a known issue, or if it's a new issue noone's noticed before (I doubt that very much).


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

  • #2
    Re: Effective Permissions Wizard

    Anyone? Anyone at all?


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Effective Permissions Wizard

      Hmm... I dun quite get what you are trying to put across.
      Maybe my understanding of english is not that good.
      Just another MCP

      Comment


      • #4
        Re: Effective Permissions Wizard

        All I'm saying is, when you click "Effective Permissions" and select a user to see what permissions he has, the number of check marks that show below the users name depend on what account and machine you're using to do the test....

        For instance if I log into Dom1 as a Domain Admin, and I am a Domain Admin in Dom2 via group memberships, and I check effective permissions for a user in Dom2 on a folder in Dom2, I get result (x). If I log into Dom2 directly as a Domain Admin and check again, I get result (y). Result y is correct. etc etc etc
        Last edited by Stonelaughter; 19th October 2006, 09:21.


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: Effective Permissions Wizard

          This technet article explains all.

          It basically says that "We have given you this tool, the effective permissions wizard - but the answer it gives might be totally unrelated to reality in just about every way, and we don't care..."


          Tom
          For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

          Anything you say will be misquoted and used against you

          Comment


          • #6
            Re: Effective Permissions Wizard

            Good find on that article.
            It seems to answer your question. It tells you what scenarios it can be used in and what you need to get an accurate picture.

            Here's a excerpt that I think is relevant:
            Accurate retrieval of the above information requires permission to read the membership information. If the specified user or group is a domain object, you must have permission to read the object's group information on the domain. Here are some relevant default domain permissions:

            Domain administrators have permission to read membership information on all objects.

            Local administrators on a workstation or stand-alone server cannot read membership information for a domain user.

            Authenticated domain users can only read membership information when the domain is in Pre-Windows 2000 compatibility mode.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment

            Working...
            X