We've had the practice of setting up desktop shortcuts to network shares.
Because of some mysterious failed logons to the shares, I got to investigating the shortcuts.
This is in a domain-joined workstation.
I notice that we can examine the Properties of the shortcut and that there is a Security tab.
The security tab gives Full Control to:
[domain username] for the current logon / matches the Desktop contents of course...
And the Allow column is grayed out while the Deny column isn't.
Now, the actual network share has Security settings giving Full Control to a domain Group.
So, where do these particular permissions that we see in the shortcut come from?