In IT, having a tight access control over critical data is the key to it's protection and safety. This requires updating and reviewing shared files and folder access lists. Often this is done by IT support staff, however the outsourcing of IT services with long communication lines, missunderstandings, time gaps and cost reductions lead to situations. It is always good for data owners to be able to identify access, knowing "who has a key to the place".

Using Windows commands on a standard laptop, it is possible for staff and normal users to identify access to local and shared folders. With access updates typically executed by IT staff on domain conntrollers, we can confirm if access update requests ifor critical files and folders have been executed as requested.

The instructions below were run on a Windows 7 laptop, using the “commandline” program for execution of operating system commands.


Open a “commandline” window for typing the operating system commands: Go to Start ➞ Accessories ➞ Command Prompt

Windows Command Prompt

All output shown below in grey highlighted windows was executed within the command prompt environment.

Connect the network “share” using the command line

The access verification commands run on folders that are visible on the command line. For network “shared’ folders, we need to confirm if they are “connected”. To verify if a shared folder is connected and visible:

C:\Windows\system32>net use
New connections will not be remembered.

There are no entries in the list.

In the example above, no shared drives are visible. We would like to verify a folder under the shared drive mounted as “S:”. In our example, we can connect this “shared” drive as shown below:

C:\Windows\system32>net use S: \\tofsserver3\dfs\shared
The command completed successfully.

Now we have a network “share” drive connected. It is visible on the command prompt and ready to be used for verification.

Show a folders access list

The Windows operating system command icacls lists access entries for the folder. Below shows an example:

C:\Windows\system32>icacls "S:\MKS\Audit"
S:\MKS\Audit MYDOMAIN2\acl_Audit:(OI)(CI)(M)
             No mapping between account names and security IDs was done. (OI)(CI)(RX)
             MYDOMAIN2\Domain Admins:(OI)(CI)(F)
             No mapping between account names and security IDs was done. (OI)(CI)(RX)
             No mapping between account names and security IDs was done. (OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

The access rights are displayed at the end of the output:

For detailed information about the meaning, see the Microsoft documentation on file and folder permission access rights (link).

Identify the individual group members

In an ideal, organized IT world, shared folder access is controlled by domain groups, rather than adding individual users. In our example above, There are two groups. Our IT has a group naming convention, defining that user group names are preceded by “acl_”. This is a good practise to quickly indentify if an entry it is a user or a group. Note that there is no standard.

In this step, we will use the net group command to identify the individual user ID’s that belong to that domain group:

C:\Windows\system32>net group /Domain acl_Audit
The request will be processed at a domain controller for domain

Group name     acl_Audit
Comment        Audit Team


argento                  kosenra                  megulthi
mksasg1                  mksasg2                  saphirol
The command completed successfully.

Repeat this step for all groups listed under the folders access.

Translate user ID's into real names

Windows user IDs are hard to read and to link to real users, because they are short and unique. Our IT organization has a naming convention that “builds” a user ID from 5 starting characters on the Last name, plus two characters from the first name. This process is not ideal, and naming conflicts are resolved by deviation from this standard. As a result, we need to translate the Windows user ID into the real user name.

The net user command below shows an (imaginary name) example:

C:\Windows\system32>net user /Domain kosenra
The request will be processed at a domain controller for domain

User name                    kosenra
Full Name                    Raphael Kosenna
Comment                      /I/A113062/MKS/Kosenna Raphael - User (Audit) A113062
User's comment
Country code                 000 (System Default)
Account active               Yes
Account expires              Never
The command completed successfully.

Notice the full name is being displayed on the second line for the given user ID.

Conclusion and further links

Using the above method is on way to establish access rights to Windows domain network folders and files, and to verify if access is correct. File and folder access rights are a critical piece in our computerized and networked word of shared data.

There is a magnitude of further information and details about access rights that is beyond this short how-to. As a foundation, file and folder permission options depend on the underlying “file system”. In the Windows world, we commonly use a file system called NTFS. Other file systems are possible, and the access right and permission options can be distinctively different.

There are tools and software that helps extracting the information in a automated fashion. Free and commercial, with installation and without. To name a few: Hyena, DumpSec, FileAcl, and scripts using Windows power shell exist.

The following links may help in gathering further information and knowledge:

Was it helpful? Are there any errors? - Your comments and "Thanks" goes a long way in support for this site.


See also: