View library of free security tools
The tool queries access permissions defined on files and directories on a local or remote system. It displays:
- The object’s Discretionary Access Control List (DACL)
- All Access Control Entries (ACEs) defined in the DACL (a list of Deny and Allow rules)
- The attributes of the file or folder, including creation and modification times
- The owner and type of the object
To use the tool
- Select the file or folder to query. Enter the path of the object in the text box or select the object via the Browse button.
- The path can be a local path (e.g. C:\Windows\xxx) or a UNC path, such as \\Server2008\C\xxx.
- Press enter, or click the List Permissions button to display the object’s DACL.
Attributes. A list of attributes that apply to the file or folder, such as Read-Only, Hidden, and Compressed.
Object Owner. An owner is assigned to an object when the object is created. By default, the owner is the creator of the object. No matter what permissions are set on an object, the owner can always change the permissions on the object.
ACE Count. The number of Access Control Entries defined in the DACL.
ACE Number. Windows reads ACEs in an object’s DACL in sequence until it finds a matching ACE, which it applies. A Deny ACE generally take precedence over an Allow ACE because Deny ACEs are placed higher in the DACL than Allow ACEs.
ACE Type. Allow or Deny. Determines whether the ACE allows or denies access to the object.
Inherited ACE. Indicates whether the ACE is inherited from a higher level in the directory structure, or is explicitly defined on the object.
Account. The trustee to which the ACE applies.
Apply To. Indicates which descendant objects will inherit the permissions defined in the ACE.
Permissions List. The various access or deny permissions defined in the ACE:
- Full control. Allows or denies all of the file and folder permissions below.
- Traverse folder / execute file
- For folders: Allows or denies moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders. Traverse folder takes effect only when the group or user is not granted the Bypass traverse checking user right via a Group Policy.
- For files: Allows or denies running program files.
- List folder / read data
- For folders: Allows or denies viewing file names and subfolder names within the folder. List Folder only affects the contents of that folder and does not affect whether the folder you are setting the permission on will be listed.
- For files: Read Data allows or denies viewing data in files.
- Read attributes. Allows or denies viewing the attributes of a file or folder, such as read-only and hidden.
- Read extended attributes. Allows or denies viewing the extended attributes of a file or folder. Extended attributes are defined by programs.
- Create files / write data
- For folders: Allows or denies creating files within the folder.
- For files: Allows or denies making changes to the file and overwriting existing content.
- Create folders / append data
- For folders: Allows or denies creating folders within the folder.
- For files: Allows or denies making changes to the end of the file but not changing, deleting, or overwriting existing data.
- Write attributes. Allows or denies changing the attributes of a file or folder, such as read-only or hidden.
- Write extended attributes. Allows or denies changing the extended attributes of a file or folder. Extended attributes are defined by programs.
- Delete subfolders and files. Allows or denies deleting subfolders and files, even if the Delete permission has not been granted on the subfolder or file.
- Delete. Allows or denies deleting the file or folder. If you don't have Delete permission on a file or folder, you can still delete it if you have been granted Delete Subfolders and Files on the parent folder.
- Read permissions. Allows or denies reading permissions of the file or folder, such as Full Control, Read, and Write.
- Change permissions. Allows or denies changing permissions of the file or folder, such as Full Control, Read, and Write.
- Take ownership. Allows or denies taking ownership of the file or folder. The owner of a file or folder can always change permissions on it, regardless of any permissions that protect the file or folder.