1. Home
  2. Network Admin

6 Best NTFS Permissions Management Tools + Best Practices

Security is one of the highest priorities of network administrators and one of the components of security is ensuring that users have access to the all the data they need and no access to what they shouldn’t see. As seen from a data standpoint, data should only be accessible by those users who need to access it. But with the access rights inheritance that is built into NTFS and the interaction between file system rights and share rights, it can get complicated to have a clear picture of exactly who can access a given file. This is precisely what permission reporting tools can help you with and today, we’ll be reviewing the best NTFS permission reporting tools.

Best NTFS Permission Reporting Tools

Our discussion will start with a short introduction to NTFS permissions. We’ll then move on to explain inherited permissions and elaborate on the differences between file permissions, share permissions, and their consequence: effective permissions. It is important to understand how these different concepts interact and it will make any administrator’s life much easier. This will finally bring us to the core of our post: reviewing some of the best NTFS permission reporting tools and introducing their main features and characteristics.

NTFS Permissions In A Nutshell

The New Technology File System, of NTFS, is a proprietary file system developed by Microsoft for the Windows NT operating system. It superseded the FAT file system used by previous Microsoft operating systems. Its main goals were to address the eight-character file name limit and to include some built-in security. Therefore, one of the primary features of NTFS is its elaborate security system based on access control lists (ACLs).

Permissions refer to what a given user is allowed to do with a specific file or directory. There are several basic permissions such as read, write, modify, execute, and list folder content. Full control is another basic permission that grants a user the right to do anything with a file. In addition to those, there are also advanced permissions such as read attributes, read permissions, change permissions, or take ownership, just to name a few.

Access Controls Lists (ACLs) are used to assign permission to objects in the NTFS file system with each object having an ACL which defines what permission any user or group of users has on it.

RELATED READING: 4 Best Varonis Alternatives For Permission Analysis

Inherited permissions

Under the NTFS, permissions can either be explicitly assigned or they can be inherited. By default, when an NTFS object—such as a file or a folder—is created, it inherits the exact same permissions as his parent. For instance, a user who has read access to a folder will have read access to its content, unless explicitly specified otherwise.

Explicit permissions are either set by default when the object is created or they are set by user action. An example of a default explicit permission is that the user who created a file has full control over it. As for inherited permissions, they are given to an object because it is a child of a parent object. They don’t have to be specified. Permissions are usually best managed for containers of objects. Objects within the container inherit all the access permissions in that container. This approach tends to be much simpler than assigning or modifying permissions on a multitude of objects.

Of course, inherited permissions can be overridden. For example, you can remove the write permission to a specific file for a user or group with write permission to the folder containing that file. In fact, you’re free to grant or remove permissions to files as you see fit. Just remember that to modify the permissions to a file, its ACL must grant you that right. Typically, the owner of a file can modify its rights and so can a user who is a member of the Domain Administrators group.

INTERESTING READ: 10 Best Intrusion Detection Tools

About File, Share, And Effective Permissions

There are two places where permissions are granted. First, there are file permissions. Those are the permissions we’ve been discussing so far. They are the permissions assigned to each and every object in an NTFS file system.

Another place where permissions are assigned is at the share level. Whenever a resource is shared to make it usable by remote users on the network—such as what would normally be done on a file server, for example—the same types of permissions can be assigned to the share.

The combination of share vs file permissions and of explicit vs inherited permissions is what we usually refer to as effective permissions. They are the actual rights that a user has to a file or folder. Which element has precedence when determining the effective permissions is a rather complex and error-prone subject. This is, as a matter of fact, one of the many reasons why NTFS permission reporting tools were created in the first place.

The Best NTFS Permission Reporting Tools

Now that we’re all on the same page about NTFS permission, the time has finally come to review the different tools we could find. As you’re about to see, we have a broad range of tools from small tools that will only display effective permissions for one user at a time to full-features access rights management software. The best tool for you largely depends on what your actual needs are.

1. SolarWinds Permission Analyzer For Active Directory (FREE DOWNLOAD)

SolarWinds is one of the best-known makers of network and system administration tools. Its flagship product called the Network Performance Monitor consistently scores among the top network bandwidth monitoring systems. Like it’s not enough, the company is also famous for its free software. They are smaller tools, each addressing a specific need of network administrators. Two great examples of these tools are the Advanced Subnet Calculator and the Kiwi Syslog Server.

Another great free tool from SolarWinds, especially in the context of this post is the SolarWinds Permission Analyzer For Active Directory. Although this is a very basic free tool, it can give you instant visibility into user and group permissions. You can use this tool to uncover users and groups permissions to Active Directory objects, network shares, and NTFS folders and files.

SolarWinds Permissions Analyzer Screenshot

Among the tool’s key features, it can quickly identify how a user’s permissions are inherited, it will let you browse permissions by group or by individual user, and it will let you analyze user permissions based on group membership and permissions. The most important drawback of this tool is that one cannot export information from it. If all you need is detailed information about user permissions, it can be rather useful.

2. SolarWinds Access Rights Manager (FREE TRIAL)

If you need more than the bare minimum offered by the Permissions Analyzer, SolarWinds has another product you might be interested in. It is called the SolarWinds Access Rights Manager. This tool is much more than a permission reporting tool, though. It is primarily aimed at making user provisioning and unprovisioning, tracking, and monitoring easy. It offers a powerful and easy way of managing and monitoring user permission to ensure that no unnecessary permissions are granted.

One of the greatest strength of the SolarWinds Access Rights Manager is its intuitive user management dashboard that you can use to create, modify, delete, activate and deactivate user accesses to different files and folders. It features role-specific templates that can easily give users access to specific resources on your network.

SolarWinds Access Rights Manager Screenshot

Even more interesting for us today are the SolarWinds Access Rights Manager’s reporting features. The software can create reports that can be used as evidence in case of future disputes or eventual litigation. Detailed reports for auditing purposes and for compliance with specifications set by regulatory standards that apply to your business are also available. Reports can be quickly and easily created with just a few clicks. They can include any information you may find useful. For example, log activities in Active Directory and file server accesses could be included in a report. It is up to the user to make them as summarized or as detailed as they need.

Attacks and/or data leaks often happen when folders and/or their contents are accessed by users who are not—or should not be—authorized to access them, a common situation when users are granted wide-reaching access to folders or files. The SolarWinds Access Rights Manager can help you prevent these types of leaks and unauthorized changes to confidential data and files. It offers administrators a visual representation of permissions for multiple files servers. It easily and visually lets one see who has what permission on what file.

The SolarWinds Access Rights Manager is licensed based on the number of activated users within Active Directory. An activated user is either an active user account or a service account. Prices for the product start at $2 995 for up to 100 active users. For more users (up to 10 000), detailed pricing can be obtained by contacting SolarWinds sales. If you want to give the tool a test run before purchasing it, a free, unlimited 30-day trial version can be obtained.

Read our full review on Access Rights Manger a.

30-day FREE trial: https://www.solarwinds.com/access-rights-manager/registration

3. ManageEngine ADManager Plus

ManageEngine is another well-known name among network and system administrators. Its ADManager Plus toolset includes an NTFS permissions reporter that lets you manage permissions on the fly right from the ADManager Plus’ reporting utility.

ADManager Plus generates and also exports reports on access permissions of all NTFS folders as well as files and their properties for Windows file servers in an easily understandable format. This can help administrators quickly view and analyze file-level security settings in their environments. The generated reports can be exported to Excel, CSV, HTML, PDF, and CSVDE formats for further processing by external tools.

ManageEngine ADManager Plus Screenshot

Some of the reports generated by this tool include the Shares in Servers report which displays all the Shares available in the specified servers, along with important details such as their location, the list of accounts with permissions on the shares as well as their associated permissions, and the scope of the permissions. The Folders accessible by accounts report lists the folders and files over which the specified accounts have permissions. You can check for folders in a specified path and further define the level of access to generate the results. These are just a few of the available reports to give you an idea of what the tool can do for you.

The ManageEngine ADManager Plus is available in a Free Edition and a Professional Edition. The Free Edition allows you to manage and report on up to 100 objects in a single Domain. The Professional Edition is installed for free and can be evaluated for 30 days, after which it automatically reverts to the Free Edition’s limitations unless a Professional Edition license is purchased. For details on the various editions available and their prices, you should contact ManageEngine.

4. CJWDEV’s NTFS Permissions Reporter

The NTFS Permissions Reporter from CJWDEV (often simply referred to as CJWDEV) is a powerful tool for viewing NTFS permissions throughout your entire directory tree. Modern user-friendly, this tool can be used for reporting on file and directory permissions of your Windows servers. It will let you quickly see which users and groups have access to which files directories.

Some of the tool’s most notable features include its highly customizable filtering system which makes it easy to search for the user or group you want. You can, for instance, filter results based on a wide range of attributes such as account name, account type, domain, nature of permission, inherited permissions, and account status, just to name a few. The results can be displayed either in a tree or a table-based format. Different permissions are highlighted in different colours, letting you easily identify the information you need. You’ll be able to easily identify rogue permissions that are violating your standards and policies.

CJWDEV Permissions Reporter Screenshot

The NTFS Permissions Reporter is available in two editions: Free and Standard. The Free edition feature-reduced and is meant to be used as an introduction to the Standard edition. It still has quite a few features including:

  • Intelligent caching
  • The option to view group members directly in its reports
  • Integration with the Windows file explorer which provides the ability to right-click a file or directory and get a permissions report
  • Accurate and reliable information
  • Results which can easily be exported to HTML

The Standard edition builds upon the features of the free edition and adds quite a few more such as:

  • Many more export formats such as CSV, HTML, NTPR and XLSX.
  • The flexibility to compare two reports to highlight the differences in permission
  • Automatic emailing of reports
  • The ability to create filters which help find what you want; there is also an option in the filters to exclude certain permissions
  • Full command line support making it easy to schedule reports at your convenience
  • Automatic loading of your favourite settings at application launch
  • Free upgrades throughout the entire lifetime of the product.

The pricing structure for the NTFS Permissions Reporter is pretty straightforward. While the Free edition is, well, free, the Standard edition will set you back $149 for a single user license, $359 for a site license, or $579 for an enterprise license. The enterprise license can be used at multiple locations within a single organization. A consultant license is also available. It allows the software to be used at up to three client’s locations at a time for $199. There’s also a $620 unlimited consultant license which can be used with an unlimited number of clients.

5. Permissions Reporter

The Permissions Reporter is a highly specialized and very professional-looking tool which offers fast and easy file system permissions auditing for Windows. It is a visual, interactive software tool that can help you manage file system permissions. Its vendor claims it is “the ultimate network-enabled NTFS permissions reporter for Windows”. It lets you validate the security status of entire file systems quickly and efficiently with multiple export formats, command-line support, built-in scheduling, advanced filtering, and much more.

Permissions Reporter Main Window

The tool features robust, built-in report scheduling with email delivery support. It also has Directory permissions analysis with tree and table views as well as a file owner report with a hierarchical tree map visualization. And if you prefer a report on network share permissions, they are also available for servers or entire domains. Its fast performance and impressive scalability allow you to quickly analyze entire file systems with confidence and efficiency. Furthermore, the tool also boasts a command-line interface to it can easily be integrated into custom scripts

The Permissions Reporter is available in a free basic edition which is entirely free with no ads, malware, or spyware). To gain access to all of the tool’s advanced features, a professional edition can be purchased. It unlocks features such as report scheduling, advanced filtering, and more. The single-user pro license is only $69.00, even less when purchased in 5-packs or 10-packs. There are also site-wide, country-wide, and enterprise-wide versions available.

6. Netwrix Effective Permissions Reporting Tool

The Netwrix Effective Permissions Reporting Tool is a freeware tool from Netwrix that delivers actionable insight into who has permissions to what in Active Directory and file shares. It can help you ensure that employees’ permissions align with their roles in the organization. The tool’s reports enable you to see users’ AD group membership and file share permissions in a single report, along with whether those file share permissions were assigned explicitly or inherited.

Netwrix Folder Permissions Example

The Effective Permissions Reporting Tool provides actionable information that you can use to rescind unneeded access rights, thereby ensuring users have only the permissions they need to get their jobs done. It can help reduce security risks by making sure your valuable data can be accessed only by eligible personnel. It is a simple to use tool which enables you to quickly track down any user’s permissions across Active Directory and file servers and to get ready-to-use reports in just a few clicks.

This tool can also help you ensure compliance by assisting you with the collection of proof that all permissions are aligned with job descriptions and employee roles in the organization. This is often mandated by regulatory frameworks such as SOX or PCI-DSS, for instance.

There’s only one drawback to the Netwrix Effective Permissions Reporting Tool. It won’t give you the effective permissions on a specific file or directory. It will only show the effective permissions held by a specific user or group.

Leave a comment