Recipe 14.9 Viewing the Effective Permissions on an Object
14.9.1 Problem
You want to view the effective
permissions for a user or group
on a particular object.
14.9.2 Solution
14.9.2.1 Using a graphical user interface
Open the ACL Editor. You can do this by viewing the properties of an
object (right-click on the object and select Properties) with a tool,
such as Active Directory Users and Computers (ADUC) or ADSI Edit.
Select the Security tab. To see the Security tab with ADUC, you must
select View Advanced Features from the menu. Click the Advanced button. Select the Effective Permissions tab. Click the Select button to bring up the Object Editor. Find the user or group you for which want to see the effective
permissions. The results will be shown under Effective Permissions.
|
The Effective Permissions tab is available only in the Windows Server
2003 version of the ACL Editor. For Windows 2000,
you'll need to use the acldiag
solution.
|
|
14.9.2.2 Using a command-line interface
> acldiag <ObjectDN> /geteffective:<UserOrGroup>
14.9.3 Discussion
Viewing the permissions on an object does not tell the whole story as
to what the actual translated permissions are for a user or group on
that object. The effective permissions of an
object take into account all group membership and any inherited
permissions that may have been applied further up the tree.
|