Use icacls or Get-Acl $PATH | Format-List in PowerShell to check permissions at the command line. The icacls tool can also be used to update Windows ACLs.
Both of these tools produce output that is somewhat different than that of the “Security” tab in the file or folder properties:
(I)— permission inherited from the parent container(F)— full access (full control)(M)— modify right/access(OI)— object inherit(IO)— inherit only(CI)— container inherit(RX)— read and execute(AD)— append data (add subdirectories)(WD)— write data and add files
Note that the Windows File Explorer only displays the first ACL for a particular user or group, but that Windows allows multiple ACLs to be applied! This means that the File Explorer does not always show you the actual permissions a user/group will have — you really do need to use icacls or Get-Acl.
In the case of multiple ACLs, or when a user is part of two groups with different groups, keep in mind that allow permissions only override inherited deny permissions. Explicitly set deny permissions cannot be overridden.