O'Reilly logo

Active Directory Cookbook by Robbie Allen

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

14.9. Viewing the Effective Permissions on an Object

Problem

You want to view the effective permissions for a user or group on a particular object.

Solution

Using a graphical user interface

  1. Open the ACL Editor. You can do this by viewing the properties of an object (right-click on the object and select Properties) with a tool, such as Active Directory Users and Computers (ADUC) or ADSI Edit. Select the Security tab. To see the Security tab with ADUC, you must select View Advanced Features from the menu.

  2. Click the Advanced button.

  3. Select the Effective Permissions tab.

  4. Click the Select button to bring up the Object Editor.

  5. Find the user or group you for which want to see the effective permissions.

  6. The results will be shown under Effective Permissions.

Tip

The Effective Permissions tab is available only in the Windows Server 2003 version of the ACL Editor. For Windows 2000, you’ll need to use the acldiag solution.

Using a command-line interface

> acldiag <ObjectDN> /geteffective:<UserOrGroup>

Discussion

Viewing the permissions on an object does not tell the whole story as to what the actual translated permissions are for a user or group on that object. The effective permissions of an object take into account all group membership and any inherited permissions that may have been applied further up the tree.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required