Friday, May 23, 2008

Effective permissions may be reported incorrectly


Using a Domain member computer, the "Advanced / Effective Permissions"
tab is used to evaluate permissions for specific user on a folder.

In this example,
\\[Server]\[Share]\[Folder] and the user specified is a member of the local Administrators group on the Domain Member computer. The "effective permissions"
tab reports that the user holds Full Control for the folder.

Member computers of a domain are only able to perform group expansion for Built-in groups locally. Thus when the account context is evaluated the Built-In\Administrators membership is returned.

Universally, the SID for Builtin\Administrators is S-1-5-32-544, which cannot be distinguished between the local computer group membership and local server group membership by the "Effective Permissions" tab.

More Information
Permissions for user accounts that are not members of the local computer Administrators group are not affected by this issue.

This issue does not occur if the computer used to evaluate permissions is a domain controller or the server hosting the resource.

Access control lists may report incorrect information in Windows Server

No comments: