Check Effective Permissions

How to use Docusnap365 to check the effective NTFS permissions for individual users or groups.

  3 minute read  

Introduction

With the “Add Principal” feature, you can precisely analyze which effective access rights a specific user or group has to files and folders.
All relevant factors are automatically taken into account – from group memberships and share permissions to inherited and explicit NTFS permissions.

Add a User to the Analysis

  1. Open an existing analysis in the NTFS Analysis section.
  2. Click the “Add Principal” button.
  3. Select the desired user or group from Active Directory or from local groups.
  4. After selection, the user is added to the analysis – the matrix is extended to include the effective permissions of this principal.

Add user to analysis

What Does the Effective Permission Show?

A user’s effective rights result from the interaction of the following layers:

  • Share permissions on the network share
  • Inherited NTFS permissions from parent folders
  • Directly set (explicit) NTFS permissions on the target folder
  • Group memberships (including nested groups)
  • Filter conditions (if active)

Docusnap365 automatically calculates this combination and displays only the effective permissions of the selected user.

Effective permissions matrix

Why This Is Important

This analysis provides a clear answer to the question:

“Does user X have access to directory Y – and if so, with which permissions and through which path?”

It also identifies whether a user gains permissions through group memberships or inheritance that they should not have individually.
This makes the feature particularly helpful for:

  • Audits and compliance checks
  • GDPR information requests
  • Permission clean-ups

Permission Origin

With the new Permission Origin feature, not only is the overall effective permission calculated, but it is also transparently shown how this permission is derived.

Docusnap365 traces the entire chain:

  • User → Group memberships (e.g., domain or AD groups)
  • Groups → Directories/ACLs
  • Inheritance and explicit entries at folder and file level
  • Blocked or active inheritance

The permission paths are made visually traceable. This allows you to immediately see:

  • Which groups grant a user a permission
  • Which ACL entries apply to which folder
  • Whether inheritance is blocked or active
  • And finally, how the overall effective permission is calculated

Permission origin visualization

Recursive Group Resolution

A key element of the permissions analysis in Docusnap365 is the complete, recursive resolution of group memberships.

This means:

  • Nested groups are automatically resolved.
  • Indirect memberships (e.g., User → Group A → Group B → Permission) are taken into account.
  • This ensures that all effective permissions are correctly identified and displayed – regardless of how complex the AD structure is.

The recursive resolution is shown not only in table form, but also graphically.
This allows administrators to immediately recognize through which group chains a user obtains their permissions.

Recursive group resolution

Special Features

  • Groups are recursively resolved – nested groups are fully taken into account.
  • Only effective rights are displayed – rights that could theoretically be inherited but are not actually effective are not shown.
  • Multiple principals can be analyzed and compared at the same time.
  • New: Transparent tracing of individual permissions across their entire origin chain.