Have you ever had that call from a developer about permissions or questioning whether permissions for a particular user account are setup correctly? Even though from what you can see with the NTFS and share permissions that are configured, is there doubt cast on the permissions that are configured on the folder, especially from the development side of the house? Having the ability to test the permissions of a particular user or service account comes in handy in this case. However, without having to login to a workstation or other test system as the service account or user, how can you test the permissions for another user to a folder, even doing so without logging out of your workstation? Let’s take a look at a quick tip and trick from the command line to be able to test permissions of another user to a folder or file.
Why test permissions of another user to a folder or file?
You may have seen this from experience as I know I have many times. Performing a “real-world” test for me gives me a much better feeling about things than simply relying on what I see in the ACLs configured and showing on a Windows Server for a particular user.
I have seen all kinds of weird things happen where you may see globally a user as having permissions to a folder, but underneath, have a folder or two that may have ownership changes or explicitly configured permissions where the user in question may not have the permissions to the folder that you would expect.
I find that it is much easier to perform a real world test to cut to the chase and see if the user actually has the permissions configured on the folder that are expected. This allows you to have real world proof of permissions either working correctly or not working as you expect they are working.
In the Windows world, permissions are generally in the context of the logged in user who is logged into a client workstation or Windows Server. So, with that being said, from a logon session perspective, it is not that obvious to see how to test permissions of another user to a folder or file. While the GUI logon session may make this a bit more difficult to accomplish, the command line can come to the rescue.
How to test permissions of another user to a folder or file
What do you need to do to test the permissions of another Windows user to a folder or file if you don’t log in as that user? Well, there is a mechanism that you may have used in Windows before that allows “logging in” as another user from the command line.
The runas command allows you to effectively assume the identity of another Windows user to be able to work in the context of that user or perform other actions that require assuming the rights and permissions of that particular user and the abilities that implies.
With the runas command from the command line you can effectively login as the user you want to test permissions as, and then test whether or not that user has permissions to the folder or file that you expect them to be able to access.
Let’s see how the runas command works and what it can do for you in terms of troubleshooting and testing permissions for various resources that may be located on the network.
To use the runas command, you can simply open a PowerShell prompt or command prompt.
- runas /user:<your user you want to test> cmd.exe
By opening the cmd.exe you will be able to test traversing folders, creating files/folders all from the command line as that user.
Once you type in the cmd.exe, it will open a command prompt as that user. Note the Window name below is (running as CLOUD\testuser) which is my user I want to test permissions for.
As you can see, if I try to make a directory underneath the folder that I am traversing, I get an access is denied. If this user is expected to be able to create objects underneath this folder, you would run into an error.
If this user is a service account and is expected to be able to create files/folders, this would show there will be problems at an application level for the user to do this.
You can also test network permissions as well using the old net use command.
Below, trying to map a drive under the context of the user in the runas cmd.exe Window returns the message The password is invalid for message. This indicates the account trying to access is not allowed to access the resource.
Wrapping Up
As you can see, using the runas command is a great tool that allows you to test permissions of another user to a folder or file. It allows you to do this all without having to login to a workstation or server as the user.
By using the runas command you can simply assume the context of the user in question to test folder or network permissions easily and simply.
0 Comments