Managing file and directory permissions is another one of those important yet daunting tasks of system administrators. Due to the hierarchical nature of the NTFP file system and its right inheritance features, the exact rights a given user has to a specific resource it not obvious. This is exactly what NTFS permission reporter software can help you with. These tools will scan a directory structure and list the effective rights of a specified user to each element found. Quite a few of these tools are available, offering different degrees of usefulness. To help you see clearly through the maze of available products, we’ve assembled this list of some of the best NTFS permission reporting software.
We’ll begin our discussion today by having a quick look at NTFS permissions, what they are and where they’re coming from. After then, we’ll discuss inherited permission as they are one of the most important features of the Microsoft-developed file system. And since there are at least two places where permissions can be set and since they combine by following specific rules, we’ll study file vs share permission and also effective permissions, which are a compound of the first two. Only then will we be ready to reveal what the best tools are. This is what we’ll be doing next as we review some of the best NTFS permission reporting software.
NTFS Permission explained
The New Technology File System, of NTFS, is a proprietary file system developed by Microsoft for the Windows NT operating system. It superseded the FAT file system used by previous Microsoft operating systems. One of the primary features of NTFS is its elaborate security system based on access control lists (ACLs).
Permissions refer to what a given user is allowed to do with a specific file or directory. There are several basic permissions such as read, write, modify, execute, and list folder content. Full control is another basic permission that grants a user the right to do anything with a file. In addition to those, there are also advanced permissions such as read attributes, read permissions, change permissions, or take ownership, just to name a few.
Access Controls Lists (ACLs) are used to assign permission to objects in an NTFS file system with each object having an ACL which defines what permission any user or group of users has on it.
Under the NTFS, permissions can either be explicitly assigned or they can be inherited. By default, any NTFS object created—a file or a folder—gets the exact same ACLs as his parent. For instance, a user who has read access to a folder will have read access to its content, unless specified otherwise.
Explicit permissions are either set by default when the object is created or they are set by user action. By definition, inherited permissions are not set; they are given to an object because it is a child of a parent object. Permissions are usually best managed for containers of objects. Objects within the container inherit all the access permissions in that container. This is much simple than assigning or modifying permissions of a multitude of objects.
Of course, inherited permission can be overridden and one could, for instance, remove the write permission to a file for a user with write permission to the folder containing that file.
File vs Share vs Effective Permissions
There are two places under modern versions of Windows where permissions can be set. First, there are file permissions. Those are the permissions we’ve been discussing so far. They are the permissions assigned to each and every object in an NTFS file system.
Another place where permissions are assigned is at the share level. Whenever a resource is shared to make it usable by users on other computers—such as what would normally be done on a file server, for example—the same types of permissions can be assigned to the share.
The combination of share vs file permissions and of explicit vs inherited permissions is what we usually refer to as effective permissions. They are the actual rights that a user has to a file or folder. Which element has precedence when determining the effective permissions is a rather complex and error-prone subject. This is, by the way, one of the reasons why NTFS permission reporting software was created.
The Best Permission Reporter Software
Now that we’re all on the same page about NTFS permission, the time has finally come to review the different tools we could find. As you’re about to see, we have a broad range of tools from small tools that will only display effective permissions for one user at a time to full access rights management software. The best tool for you largely depends on your specific needs
SolarWinds is one of the best-known makers of network and system administration tools. Its flagship product called the Network Performance Monitor consistently scores among the top network bandwidth monitoring systems. Like it’s not enough, the company is also famous for its free software. They are smaller tools, each addressing a specific need of network administrators. Two great examples of these tools are the Advanced Subnet Calculator and the Kiwi Syslog Server.
Another great free tool from SolarWinds, especially in the context of this post is the SolarWinds Permission Analyzer. Although this is a very basic free tool, it can give you instant visibility into user and group permissions. You can use this tool to uncover users and groups permissions to Active Directory objects, network shares, folders, and files.
- FREE DOWNLOAD: SolarWinds Permission Analyzer
- OFFICIAL SITE: https://www.solarwinds.com/free-tools/permissions-analyzer-for-active-directory/registration
Among the tool’s key features, it can quickly identify how a user’s permissions are inherited, it will let you browse permissions by group or by individual user, and it will let you analyze user permissions based on group membership and permissions. The most important drawback of this tool is that one cannot export information from it. If all you need is detailed information about user permissions, it can be rather useful.
If you need more than the bare minimum offered by the Permissions Analyzer, SolarWinds has another product you might be interested in. It is called the SolarWinds Access Rights Manager. This tool is much more than a permission reporting tool, though. It is primarily aimed at making user provisioning and unprovisioning, tracking, and monitoring easy. It offers a powerful and easy way of managing and monitoring user permission to ensure that no unnecessary permissions are granted.
One of the greatest strength of the SolarWinds Access Rights Manager is its intuitive user management dashboard that you can use to create, modify, delete, activate and deactivate user accesses to different files and folders. It features role-specific templates that can easily give users access to specific resources on your network.
- FREE TRIAL: SolarWinds Access Rights Manager
- Download Link: https://www.solarwinds.com/access-rights-manager/registration
Even more interesting for us today are the SolarWinds Access Rights Manager’s reporting features. The software can create reports that can be used as evidence in case of future disputes or eventual litigation. Detailed reports for auditing purposes and for compliance with specifications set by regulatory standards that apply to your business are also available. Reports can be quickly and easily created with just a few clicks. They can include any information you may find useful. For example, log activities in Active Directory and file server accesses could be included in a report. It is up to the user to make them as summarized or as detailed as they need.
Attacks and/or data leaks often happen when folders and/or their contents are accessed by users who are not—or should not be—authorized to access them, a common situation when users are granted wide-reaching access to folders or files. The SolarWinds Access Rights Manager can help you prevent these types of leaks and unauthorized changes to confidential data and files. It offers administrators a visual representation of permissions for multiple files servers. It easily and visually lets one see who has what permission on what file.
The SolarWinds Access Rights Manager is licensed based on the number of activated users within Active Directory. An activated user is either an active user account or a service account. Prices for the product start at $2 995 for up to 100 active users. For more users (up to 10 000), detailed pricing can be obtained by contacting SolarWinds sales. If you want to give the tool a test run before purchasing it, a free, unlimited 30-day trial version can be obtained.
3- CJWDEV’s NTFS Permissions Reporter
The NTFS Permissions Reporter from CJWDEV—which is often simply referred to as CJWDEV—is a powerful tool for viewing NTFS permissions throughout the entire directory tree. It is a modern user-friendly tool for reporting on file and directory permissions of your Windows servers. It lets you quickly see which users and groups have access to which files directories.
Some of the tool’s most notable features include its highly customizable filtering system which makes it easy to search for the user or group you want. You can, for instance, filter results based on a wide range of attributes such as account name, account type, domain, nature of permission, inherited permissions, and account status, just to name a few. The results can be displayed either in a tree or a table-based format. Different permissions are highlighted in different colours, letting you easily identify the information you need. You’ll be able to easily identify rogue permissions that are violating your standards and policies.
The NTFS Permissions Reporter is available in two editions: Free and Standard. The Free edition feature-reduced and is meant to be used as an introduction to the Standard edition. It still has quite a few features including:
- Intelligent caching
- The option to view group members directly in its reports
- Integration with the Windows file explorer which provides the ability to right-click a file or directory and get a permissions report
- Accurate and reliable information
- Results which can easily be exported to HTML
The Standard edition builds upon the features of the free edition and adds quite a few more such as:
- Many more export formats such as CSV, HTML, NTPR and XLSX.
- The flexibility to compare two reports to highlight the differences in permission
- Automatic emailing of reports
- The ability to create filters which help find what you want; there is also an option in the filters to exclude certain permissions
- Full command line support making it easy to schedule reports at your convenience
- Automatic loading of your favourite settings at application launch
- Free upgrades throughout the entire lifetime of the product.
The pricing structure for the NTFS Permissions Reporter is pretty straightforward. While the Free edition is, well, free, the Standard edition will set you back $149 for a single user license, $359 for a site license, or $579 for an enterprise license. The enterprise license can be used at multiple locations within a single organization. A consultant license is also available. It allows the software to be used at up to three client’s locations at a time for $199. There’s also a $620 unlimited consultant license which can be used with an unlimited number of clients.
4- Netwrix Effective Permissions Reporting Tool
The Netwrix Effective Permissions Reporting is a freeware tool from Netwrix that delivers actionable insight into who has permissions to what in Active Directory and file shares. It can help you ensure that employees’ permissions align with their roles in the organization. The tool’s reports enable you to see users’ AD group membership and file share permissions in a single report, along with whether those file share permissions were assigned explicitly or inherited.
The Effective Permissions Reporting Tool provides actionable information that you can use to rescind unneeded access rights, thereby ensuring users have only the permissions they need to get their jobs done. It can help reduce security risks by making sure your valuable data can be accessed only by eligible personnel. It is a simple to use tool which enables you to quickly track down any user’s permissions across Active Directory and file servers and to get ready-to-use reports in just a few clicks.
This tool can also help you ensure compliance by assisting you with the collection of proof that all permissions are aligned with job descriptions and employee roles in the organization. This is often mandated by regulatory frameworks such as SOX or PCI-DSS, for instance.
There’s only one drawback to the Netwrix Effective Permissions Reporting Tool. It won’t give you the effective permissions on a specific file or directory. It will only show the effective permissions held by a specific user or group.
5- ManageEngine ADManager Plus
ManageEngine is another well-known name among network and system administrators. Its ADManager Plus toolset includes an NTFS permissions reporter that lets you manage permissions on the fly right from the ADManager Plus’ reporting utility.
ADManager Plus generates and also exports reports on access permissions of all NTFS folders as well as files and their properties for Windows file servers in an easily understandable format. This can help administrators quickly view and analyze file-level security settings in their environments. The generated reports can be exported to excel, CSV, HTML, PDF, and CSVDE formats for further processing by external tools.
Some of the reports generated by this tool include the Shares in Servers report which displays all the Shares available in the specified servers, along with important details such as their location, the list of accounts with permissions on the shares as well as their associated permissions, and the scope of the permissions. The Folders accessible by accounts report lists the folders and files over which the specified accounts have permissions. You can check for folders in a specified path and further define the level of access to generate the results. These are just a few of the available reports to give you an idea of what the tool can do for you.
The ManageEngine ADManager Plus is available in a Free Edition and a Professional Edition. The Free Edition allows you to manage and report on up to 100 objects in a single Domain. The Professional Edition is installed for free and can be evaluated for 30 days, after which it automatically reverts to the Free Edition’s limitations unless a Professional Edition license is purchased. For details on the various editions available and their prices, you should contact ManageEngine.
6- Permissions Reporter
Permissions Reporter is a highly specialized and very professional-looking tool which offers fast and easy file system permissions auditing for Windows. It is a visual, interactive software tool that can help you manage file system permissions. Its vendor claims it is “the ultimate network-enabled NTFS permissions reporter for Windows”. It lets you validate the security status of entire file systems quickly and efficiently with multiple export formats, command-line support, built-in scheduling, advanced filtering, and much more.
The tool features robust, built-in report scheduling with email delivery support. It also has Directory permissions analysis with tree and table views as well as a file owner report with hierarchical tree map visualization. And if you prefer a report on network share permissions, they are also available for servers or entire domains. Its fast performance and impressive scalability allow you to quickly analyze entire file systems with confidence and efficiency. Furthermore, the tool also boasts a command-line interface to it can easily be integrated into custom scripts
Permissions Reporter is available in a free basic edition which is entirely free with no ads, malware, or spyware). To gain access to all of the tool’s advanced features, a professional edition can be purchased. It unlocks features such as report scheduling, advanced filtering, and more. The single-user pro license is only $69.00, even less when purchased in 5-packs or 10-packs. There are also site-wide, country-wide, and enterprise-wide versions available.