You need to verify which users or groups have access to a specific folder on Windows 11. The built-in Security tab shows permissions, but it does not list effective access for every account in one view. This is where AccessChk from Microsoft Sysinternals fills the gap. This article explains how to download, run, and interpret AccessChk output to audit folder permissions on Windows 11.
Key Takeaways: Auditing Folder Permissions with AccessChk
- AccessChk from Microsoft Sysinternals: A command-line tool that lists effective permissions for any user or group on a folder without opening the GUI.
- Command:
accesschk64.exe -d -u username folderpath: Shows the specific permissions a given user account has on a folder. - Command:
accesschk64.exe -d -g groupname folderpath: Lists permissions assigned to a security group, such as Users or Administrators.
What AccessChk Does and Why You Need It for Folder Audits
AccessChk is part of the Microsoft Sysinternals suite. It is a command-line utility that reports the effective permissions a user or group has on files, folders, registry keys, services, and other Windows objects. For folder permissions, the built-in Windows Security tab shows the access control entries, but it does not combine inherited permissions with explicit permissions in a single readable output. AccessChk does exactly that.
The tool is useful for security auditors, IT administrators, and power users who need to confirm that folder permissions match the intended security policy. For example, you might need to verify that a contractor account has only Read access to a project folder, or that a service account has Full Control over a shared data directory. AccessChk answers these questions without requiring you to navigate multiple GUI dialogs.
AccessChk does not require installation. It runs directly from the command prompt or PowerShell. The tool supports both 32-bit and 64-bit versions of Windows 11. You can download it from the Microsoft Sysinternals website or via the Sysinternals Live service.
How to Download and Set Up AccessChk on Windows 11
Before you can audit folder permissions, you need to download the AccessChk executable. Follow these steps to get the tool ready on your Windows 11 machine.
- Download AccessChk from Microsoft Sysinternals
Open your web browser and go to the official AccessChk download page. Click the Download AccessChk link. The file is namedAccessChk.zip. - Extract the ZIP archive
Locate the downloadedAccessChk.zipfile in your Downloads folder. Right-click it and select Extract All. Choose a destination folder, such asC:\Tools\AccessChk, and click Extract. The archive contains two files:accesschk.exe(32-bit) andaccesschk64.exe(64-bit). - Add the folder to your PATH environment variable (optional)
To runaccesschk64.exefrom any command prompt without typing the full path, add its folder to the system PATH. Open Settings > System > About > Advanced system settings. Click Environment Variables. Under System variables, select Path and click Edit. Click New, enter the folder path (e.g.,C:\Tools\AccessChk), and click OK on all dialogs. Restart your command prompt. - Open Command Prompt or PowerShell as Administrator
Right-click the Start button and select Windows Terminal (Admin) or Command Prompt (Admin). AccessChk needs administrator privileges to read permissions on folders that are protected by the system.
Basic AccessChk Commands for Folder Permission Audits
Once AccessChk is set up, you can run several commands to inspect folder permissions. The most common options are -d (directory), -u (user), and -g (group). Below are the essential commands with real-world examples.
Check Permissions for a Specific User on a Folder
To see what permissions a particular user account has on a folder, use the -d and -u flags together. The syntax is:
accesschk64.exe -d -u username folderpath
For example, to check the permissions for user jdoe on the folder C:\Projects\Finance, run:
accesschk64.exe -d -u jdoe C:\Projects\Finance
The output lists every permission entry for that user, including inherited permissions. You will see lines like R for Read, W for Write, F for Full Control, and so on. If the user has no access, the output shows a blank or a note saying the user does not have access.
Check Permissions for a Group on a Folder
To audit permissions for a security group, replace -u with -g. The syntax is:
accesschk64.exe -d -g groupname folderpath
For example, to see what permissions the Domain Users group has on C:\Shared\Data, run:
accesschk64.exe -d -g "Domain Users" C:\Shared\Data
The output shows all access entries for that group. This is useful when you need to confirm that a group like Everyone or Authenticated Users does not have excessive permissions.
List All Users and Groups with Permissions on a Folder
If you want a complete audit of every account that has permissions on a folder, use the -d flag without specifying a user or group. The command is:
accesschk64.exe -d folderpath
For example:
accesschk64.exe -d C:\Projects\Finance
This returns a list of all security principals that have explicit or inherited permissions on that folder, along with the permission codes. This is the fastest way to get a full permission map of a directory.
Advanced AccessChk Options for Deeper Audits
AccessChk supports additional flags that give you more control over the output. Use these when you need to audit subfolders recursively or exclude inherited permissions.
Recursively Audit All Subfolders
To check permissions for a folder and all its subfolders, add the -s flag. The syntax is:
accesschk64.exe -d -s -u username folderpath
For example:
accesschk64.exe -d -s -u jdoe C:\Projects
This command audits every folder under C:\Projects for user jdoe. The output can be long, so consider piping it to a text file using > output.txt.
Show Only Explicit Permissions
By default, AccessChk shows both inherited and explicit permissions. To see only permissions that are directly applied to the folder (not inherited from a parent), use the -e flag:
accesschk64.exe -d -e -u jdoe C:\Projects\Finance
This helps you identify permissions that were manually set on that specific folder, which is useful for troubleshooting permission issues.
Common Issues When Using AccessChk on Windows 11
AccessChk Returns No Output or Blank Lines
If the command returns no output, the user or group likely does not have any permissions on the folder. Verify that the account name is spelled correctly. Use the whoami command to confirm the current username. For domain accounts, include the domain name in the format DOMAIN\username.
Access Denied Error When Running AccessChk
AccessChk must run with administrator privileges to read permissions on system folders or folders owned by TrustedInstaller. Close the command prompt and reopen it by right-clicking and selecting Run as administrator. If the error persists, the folder may be protected by BitLocker or EFS encryption that blocks even administrator access.
AccessChk Shows Different Permissions Than the GUI Security Tab
The GUI Security tab in Windows 11 shows effective permissions by combining inherited and explicit entries. AccessChk also shows effective permissions but uses a different display format. If you see a discrepancy, run AccessChk with the -e flag to isolate explicit permissions, then compare with the Advanced button in the Security tab. The two views should match when you account for inheritance.
AccessChk vs Windows Security Tab for Folder Permissions
| Item | AccessChk | Windows Security Tab |
|---|---|---|
| Interface | Command line | Graphical user interface |
| Permission scope | One user, group, or all at once | All users and groups in a list |
| Effective permissions | Shows combined inherited and explicit | Shows combined but requires clicking Advanced and Effective Access |
| Recursive audit | Built-in with -s flag |
Not available without third-party tools |
| Output to file | Easy with > output.txt |
Not supported |
| Requires admin rights | Yes, for most folders | Yes, for changing permissions |
The table shows that AccessChk is better suited for automated audits and bulk checks, while the Security tab is more accessible for quick visual inspection of a single folder.
You can now audit folder permissions on Windows 11 using AccessChk. The tool gives you a fast, scriptable way to check effective permissions for any user or group. Start by running a basic command on a test folder to become familiar with the output format. For recurring audits, save the commands in a batch file and redirect the output to a timestamped log file. An advanced tip: use the -n flag to show only objects that the specified user does not have access to, which helps identify unauthorized access gaps in large folder structures.