User With Modify Permission Able to Add Users to ACL?

[Will]

Is there a utility that will show which ACLs (chaining up from the current
folder location) is the one that is responsible for each effective
permission a user has on a file or folder?

I have always understood that Modify permission in an ACL only gives the
user the ability to change data, and not the ACL itself. Changing the ACL
itself requires Full Control permission. I have a user with Modify
access to a folder who is somehow able to add new users into the ACL.
When you look at Effective permissions he does have the "Change Permission"
permission. The thing we cannot figure out is where is this being
inherited from.

--
Will

 

[Haoqiang]

RE: User With Modify Permission Able to Add Users to ACL?

You can download a tool named perms.exe from microsoft website.


"Will" wrote:

> Is there a utility that will show which ACLs (chaining up from the current
> folder location) is the one that is responsible for each effective
> permission a user has on a file or folder?
>
> I have always understood that Modify permission in an ACL only gives the
> user the ability to change data, and not the ACL itself. Changing the ACL
> itself requires Full Control permission. I have a user with Modify
> access to a folder who is somehow able to add new users into the ACL.
> When you look at Effective permissions he does have the "Change Permission"
> permission. The thing we cannot figure out is where is this being
> inherited from.
>
> --
> Will
>
>
>

 

[Will]

Re: User With Modify Permission Able to Add Users to ACL?

That's not what I am looking for. Perms appears to just dump permissions
of files in the specified folder.

I'm looking for something more in the spirit of the wonderful group policy
tool "resultant set of policies" (RSOP) that shows you for any given policy
which group policy made the setting. In terms of ACL security settings,
the tool I am looking for would traverse the inheritance path of folders and
file and determine which of the current - or inherited - ACL settings
accounts for a given effective permission.

--
Will


"Haoqiang" <Haoqiang@discussions.microsoft.com> wrote in message
news:69350EBA-2E63-4225-B133-6152A5A3FE21@microsoft.com...
> You can download a tool named perms.exe from microsoft website.
>
>
> "Will" wrote:
>
>> Is there a utility that will show which ACLs (chaining up from the
>> current
>> folder location) is the one that is responsible for each effective
>> permission a user has on a file or folder?
>>
>> I have always understood that Modify permission in an ACL only gives the
>> user the ability to change data, and not the ACL itself. Changing the
>> ACL
>> itself requires Full Control permission. I have a user with Modify
>> access to a folder who is somehow able to add new users into the ACL.
>> When you look at Effective permissions he does have the "Change
>> Permission"
>> permission. The thing we cannot figure out is where is this being
>> inherited from.
>>
>> --
>> Will
>>
>>
>>

 

[Special Access]

Re: User With Modify Permission Able to Add Users to ACL?

On Mon, 28 Jul 2008 22:48:09 -0700, "Will" <westes-usc@noemail.nospam>
wrote:

>That's not what I am looking for. Perms appears to just dump permissions
>of files in the specified folder.
>
>I'm looking for something more in the spirit of the wonderful group policy
>tool "resultant set of policies" (RSOP) that shows you for any given policy
>which group policy made the setting. In terms of ACL security settings,
>the tool I am looking for would traverse the inheritance path of folders and
>file and determine which of the current - or inherited - ACL settings
>accounts for a given effective permission.

Have you looked at Dumpsec? It is supposed to dump permssions as well
for file and folders, along with other functions.

http://www.somarsoft.com/

Mike