I'm trying to evaluate some permissions on a large file server. when i come to look at effective permissions i get the following:-

"You do not have permission to evaluate effective access rights for the remote resource. Contact the administrator of the target server" 

I am a domain admin. it seems to allow me to determine effective rights for other domain admins but no one outside if that scope. I'm running this on the server. 

If i try and look at effective access on a mapped drive on a server running server2008 or 2008r2 it allows me to look at the rights.. 

The domain and forest functional level is 2008r2 (however both DC's are 2012) could this be the problem? 

I'm hoping someone can help as this one has me stumped! 

Steve

This sounds like user access control being enabled on the server. You could try with the local admin account on the file server and see if that works, and you could also disable UAC on the server to see if this is what is causing it. 

Hmm I tried disabling UAC and logging in with the Local admin account.. still no joy :(

How are you getting to the share / folder you are accessing - are you going directly to the folder on the server, or are you browsing to it by UNC? If you are using UNC path, can you try and actually going directly to the folder through explorer and seeing if effective permissions works this way. 

HI,

Do you still require further help with this?

Thanks

Denis

I am having this issue.  It seems to only be an issue when viewing effective access from Windows 8.1 or 2012.  UAC on the target server is off.  Browsing to the folder directly on the server does not help.  Viewing effective access from a 2008 machine works fine.  Logging in as local admin doesn't even help.

I am\was having the same issue.  I fixed the issue by allowing my 2012 R2 File Servers domain computer accounts Read access to the user account(s) in Active Directory that I was trying to determine Effect Access for.  In other words use dsa.msc and find the account that you are trying to determine it's Effective Access and give your File Servers AD computer account Read access.  I don't know if this is by design or not.  I'm still looking as to why this is set up this way, but for now this is a workaround. 

• Edited by RGARRETT28 Monday, September 08, 2014 7:27 PM

If you need to evaluate/modify ACL on remote resources  you must add corresponding users to "Access Control Assistance Operators" local group.

• Proposed as answer by Vladimir Prokhorov Thursday, October 02, 2014 7:52 PM

If you need to evaluate/modify ACL on remote resources  you must add corresponding users to "Access Control Assistance Operators" local group.

Add my user account (domain admin) to the group? Or, add the user account of the person I am trying to determine effective access of?  Do I add this person to the group on the domain controller, the local server, or both?

So, I tried all of those options, and I cannot fix this message.

I am trying to determine effective access on a local file for a domain user account.

I am able to workaround this issue by adding the computer account to the "Pre-Windows 2000 Compatible Access" domain group.  I don't want to add all my servers to this group just to check permissions.  There must be a better way!

I am able to workaround this issue by adding the computer account to the "Pre-Windows 2000 Compatible Access" domain group.  I don't want to add all my servers to this group just to check permissions.  There must be a better way!

I decided to investigate this further.  I discovered that "Authenticated Users" had been removed from the "Pre-Windows 2000 Compatible Access" group.  Re-adding this group solved the problem.

Reference: http://technet.microsoft.com/en-us/library/dn579255.aspx

What about case where I have two domains. DomainA trusts domainB in one way relationship. I have fileshare service within domainA and allow users from domainB to access to it. But when I try to determine effective permissions for users from domainB on fileshare from domainA I get following error: You do not have permission to evalute effective access rights for the remote resources.

Is it possible to list effective permission in one way trust?

Hello Vid5000. I wonder if you managed to view the effective permissions in your case. I also have a trust and get this error when trying to view effective permissions from a user that is trusted from another domain.

With kind regards,

Max