How can I trace NTFS and Share Permissions to see why I can (or can't) write a file

I'm trying to track down WHY I can write in a folder that, by my best estimation, I should not be able to write. The folder is shared with "Everyone" has "Full Control", with the files being more restrictive. My best guess is there's some sort of sub-group membership that's allowing me to write, but the nesting of groups that exists in our Active Directory is pretty extensive.

Is there a tool, that will tell me which of the ACL entries allowed or disallowed my writing a file in a folder?

The Effective Permissions dialog is marginally helpful, but what I need is something like a "NTFS ACL Trace Tool", if such a thing exists.


Solution 1:

Try AccessChk from sysinternals:

As a part of ensuring that they've created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.

Pretty sure it will work.

Solution 2:

You should try using AccessEnum.

enter image description here

This will provide you with the different security principals that have read write and deny entries in the acl for both files and folders. its a free tool too.

After you run the report open it up and look at the unique entries for files and folders in question. and see the effective permissions from there. its fairly manually to do the lookup but by putting in the footwork you can get very specific info.