September 2003
Intermediate to advanced
624 pages
15h 49m
English
Content preview from Active Directory CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
14.9. Viewing the Effective Permissions on an Object
Problem
You want to view the effective permissions for a user or group on a particular object.
Solution
Using a graphical user interface
Open the ACL Editor. You can do this by viewing the properties of an object (right-click on the object and select Properties) with a tool, such as Active Directory Users and Computers (ADUC) or ADSI Edit. Select the Security tab. To see the Security tab with ADUC, you must select View → Advanced Features from the menu.
Click the Advanced button.
Select the Effective Permissions tab.
Click the Select button to bring up the Object Editor.
Find the user or group you for which want to see the effective permissions.
The results will be shown under Effective Permissions.
Tip
The Effective Permissions tab is available only in the Windows Server
2003 version of the ACL Editor. For Windows 2000,
you’ll need to use the acldiag
solution.
Using a command-line interface
> acldiag <ObjectDN> /geteffective:<UserOrGroup>
Discussion
Viewing the permissions on an object does not tell the whole story as to what the actual translated permissions are for a user or group on that object. The effective permissions of an object take into account all group membership and any inherited permissions that may have been applied further up the tree.