6 Best NTFS Permissions Management Tools + Best Practices

Network security is a top priority for administrators, with a key component being the management of user access to data. This involves ensuring that users can access all the data they require while preventing access to data they shouldn’t see. From a data perspective, it’s crucial that data is only accessible to those users who need it. However, the complexity arises with the access rights inheritance built into NTFS (New Technology File System), a Microsoft file system used in Windows NT, and the interaction between file system rights and share rights. This can make it challenging to have a clear understanding of who exactly can access a specific file. This is where NTFS permissions systems come into play. Tools like SolarWinds Permission Analyzer For Active Directory and SolarWinds ARM (Access Rights Manager) can help provide a clear picture of access rights. These tools are particularly useful when dealing with NTFS, which is more complex than the older FAT (File Allocation Table) systems due to their use of ACLs (Access Control Lists). Today, we’ll be reviewing the best NTFS permissions management tools available.

Our discussion will start with a short introduction to NTFS permissions management, the NTFS permissions best practices, and then we’ll move on to explain inherited permissions and elaborate on the differences between file permissions, share permissions, and their consequence: effective permissions. It is important to understand how these different concepts interact and make make any administrator’s life much easier. This will finally bring us to the core of our post: reviewing some of the best NTFS permission tools and introducing their main features and characteristics.

NTFS Permissions In A Nutshell

The New Technology File System (NTFS), is a proprietary file system developed by Microsoft for the Windows NT operating system. It superseded the FAT file system used by previous Microsoft operating systems. Its main goals were to address the eight-character file name limit and to include some built-in security. Therefore, one of the primary features of NTFS is its elaborate security system based on access control lists (ACLs).

Permissions refer to what a given user is allowed to do with a specific file or directory. There are several basic NTFS permissions systems, such as read, write, modify, execute, and list folder content. Full control is another basic permission that grants a user the right to do anything with a file. In addition to those, there are also advanced permissions such as read attributes, read permissions, change permissions, or take ownership, just to name a few.

Access Controls Lists (ACLs) are used to assign permission to objects in the NTFS file system, with each object having an ACL that defines what permission any user or group of users has on it.

RELATED READING: 4 Best Varonis Alternatives For Permission Analysis

Inherited permissions

Under the NTFS, permissions can either be explicitly assigned, or they can be inherited. By default, when an NTFS object—such as a file or a folder—is created, it inherits the exact same permissions as its parent. For instance, a user who has read access to a folder will have read access to its content unless explicitly specified otherwise.

Explicit permissions are either set by default when the object is created, or they are set by user action. An example of a default explicit permission is that the user who created a file has full control over it. As for inherited permissions, they are given to an object because it is a child of a parent object. They don’t have to be specified. Permissions are usually best managed for containers of objects. Objects within the container inherit all the access permissions in that container. This approach tends to be much simpler than assigning or modifying permissions on a multitude of objects.

Of course, inherited permissions can be overridden. For example, you can remove the write permission to a specific file for a user or group with write permission to the folder containing that file. In fact, you’re free to grant or remove permissions to files as you see fit. Just remember that to modify the permissions to a file, its ACL must grant you that right. Typically, the owner of a file can modify its rights and so can a user who is a member of the Domain Administrators group.

INTERESTING READ: 10 Best Intrusion Detection Tools

About File, Share, And Effective Permissions

There are two places where permissions are granted. First, there are file permissions. Those are the permissions we’ve been discussing so far. They are the permissions assigned to each and every object in an NTFS file system.

Another place where permissions are assigned is at the share level. Whenever a resource is shared to make it usable by remote users on the network—such as what would normally be done on a file server, for example—the same types of permissions can be assigned to the share.

The combination of share vs. file permissions and explicit vs. inherited permissions is what we usually refer to as effective permissions. They are the actual rights that a user has to a file or folder. Which element has precedence when determining the effective permissions is a rather complex and error-prone subject. This is, as a matter of fact, one of the many reasons why NTFS permissions management tools were created in the first place.

The Best NTFS Permission Reporting Tools

Now that we’re all on the same page about NTFS permissions tools, the time has finally come to review the different tools we could find. As you’re about to see, we have a broad range of tools, from small tools that will only display effective permissions for one user at a time to full-feature access rights management software. The best tool for you largely depends on what your actual needs are.

1. SolarWinds Permission Analyzer For Active Directory (100% FREE)

SolarWinds is one of the best-known makers of network and system administration tools. Its flagship product called the Network Performance Monitor consistently scores among the top network bandwidth monitoring systems. Like it’s not enough, the company is also famous for its free software. They are smaller tools, each addressing a specific need of network administrators. Two great examples of these tools are the Advanced Subnet Calculator and the Kiwi Syslog Server.

Another great free tool from SolarWinds, especially in the context of this post is the SolarWinds Permission Analyzer For Active Directory. Although this is a very basic free tool, it can give you instant visibility into user and group permissions. You can use this tool to uncover permissions to Active Directory objects, network shares, and NTFS folders and files.

Among the tool’s key features, it can quickly identify how a user’s permissions are inherited, it will let you browse permissions by group or by individual user, and it will let you analyze user permissions based on group membership and permissions. The most important drawback of this tool is that one cannot export information from it. If all you need is detailed information about user permissions, it can be rather useful.

2. SolarWinds Access Rights Manager (FREE TRIAL)

If you need more than the bare minimum offered by the Permissions Analyzer, SolarWinds has another product you might be interested in. It is called the SolarWinds ARM (Access Rights Manager). This tool is much more than a permission reporting tool, though. It is primarily aimed at making user provisioning and de-provisioning,, tracking, and monitoring easy. It offers a powerful and easy way of managing and monitoring user permission to ensure that no unnecessary permissions are granted.

One of the greatest strengths of the SolarWinds ARM (Access Rights Manager) is its intuitive user management dashboard that you can use to create, modify, delete, activate, and deactivate user accesses to different files and folders. It features role-specific templates that can easily give users access to specific resources on your network.

Even more interesting for us today are the SolarWinds ARM (Access Rights Manager) reporting features. The software can create reports that can be used as evidence in case of future disputes or eventual litigation. Detailed reports for auditing purposes and for compliance with specifications set by regulatory standards that apply to your business are also available. Reports can be quickly and easily created with just a few clicks. They can include any information you may find useful. For example, log activities in Active Directory and file server accesses could be included in a report. It is up to the user to make them as summarized or as detailed as they need.

Attacks and/or data leaks often happen when folders and/or their contents are accessed by users who are not—or should not be—authorized to access them, a common situation when users are granted wide-reaching access to folders or files. The SolarWinds ARM (Access Rights Manager) can help you prevent these types of leaks and unauthorized changes to confidential data and files. It offers administrators a visual representation of permissions for multiple file servers. It easily and visually lets one see who has what permission on what file.

The SolarWinds ARM (Access Rights Manager) is licensed based on the number of activated users within the Active Directory. An activated user is either an active user account or a service account. Prices for the product start at $2003 for up to 100 active users. For more users (up to 10,000), detailed pricing can be obtained by contacting SolarWinds sales. If you want to give the tool a test run before purchasing it, a free, unlimited 30-day trial version can be obtained.

3. ManageEngine ADManager Plus

ManageEngine is another well-known name among network and system administrators. Its ADManager Plus toolset includes an NTFS permissions management that lets you control permissions on the fly right from the ADManager Plus’ reporting utility.

ADManager Plus generates and also exports reports on access permissions of all NTFS folders as well as files and their properties for Windows file servers in an easily understandable format. This can help administrators quickly view and analyze file-level security settings in their environments. The generated reports can be exported to Excel, CSV, HTML, PDF, and CSVDE formats for further processing by external tools.

Some of the reports generated by this NTFS permissions management tool include the Shares in Servers report, which displays all the Shares available in the specified servers, along with important details such as their location, the list of accounts with permissions on the shares as well as their associated permissions, and the scope of the permissions. The Folders accessible to the accounts report list the folders and files over which the specified accounts have permissions. You can check for folders in a specified path and further define the level of access to generate the results. These are just a few of the available reports to give you an idea of what the tool can do for you.

The ManageEngine ADManager Plus is available in a Free Edition and a Professional Edition. The Free Edition allows you to manage and report on up to 100 objects in a single Domain. The Professional Edition is installed for free and can be evaluated for 30 days, after which it automatically reverts to the Free Edition’s limitations unless a Professional Edition license is purchased. For details on the various editions available and their prices, you should contact ManageEngine.

4. CJWDEV’s NTFS Permissions Reporter

The NTFS Permissions Reporter from CJWDEV (often simply referred to as CJWDEV) is a powerful tool for viewing NTFS permissions systems throughout your entire directory tree. Modern and user-friendly, this tool can be used for reporting on file and directory permissions of your Windows servers. It will let you quickly see which users and groups have access to which files directories.

Some of this NTFS permissions management tool’s most notable features include its highly customizable filtering system, which makes it easy to search for the user or group you want. You can, for instance, filter results based on a highlighted in differentwide range of attributes such as account name, account type, domain, nature of permission, inherited permissions, and account status, just to name a few. The results can be displayed either in a tree or a table-based format. Different permissions are highlighted in different colors, letting you easily identify the information you need. You’ll be able to easily identify rogue permissions that are violating your standards and policies.

The NTFS Permissions Reporter is available in two editions: Free and Standard. The Free edition is feature-reduced and is meant to be used as an introduction to the Standard edition. It still has quite a few features, including:

• Intelligent caching
• The option to view group members directly in its reports
• Integration with the Windows file explorer, which provides the ability to right-click a file or directory and get a permissions report
• Accurate and reliable information
• Results that can easily be exported to HTML

The Standard edition builds upon the features of the free edition and adds quite a few more, such as:

• Many more export formats, such as CSV, HTML, NTPR, and XLSX.
• The flexibility to compare two reports to highlight the differences in permission
• Automatic emailing of reports
• The ability to create filters that help find what you want; there is also an option in the filters to exclude certain permissions
• Full command line support makes it easy to schedule reports at your convenience
• Automatic loading of your favorite settings at application launch
• Free upgrades throughout the entire lifetime of the product.

The pricing structure for the NTFS Permissions Reporter is pretty straightforward. While the Free edition is, well, free, the Standard edition will set you back $149 for a single-user license, $359 for a site license, or $579 for an enterprise license. The enterprise license can be used at multiple locations within a single organization. A consultant license is also available. It allows the software to be used at up to three client locations at a time for $199. There’s also a $620 unlimited consultant license ,which can be used with an unlimited number of clients.

5. Permissions Reporter

The Permissions Reporter is a highly specialized and very professional-looking tool that offers fast and easy NTFS permissions management and auditing for Windows. It is a visual, interactive software tool that can help you manage file system permissions. Its vendor claims it is “the ultimate network-enabled NTFS permissions reporter for Windows.” It lets you validate the security status of entire file systems quickly and efficiently with multiple export formats, command-line support, built-in scheduling, advanced filtering, and much more.

The tool features robust, built-in report scheduling with email delivery support. It also has Directory permissions analysis with tree and table views, as well as a file owner report with a hierarchical treemap visualization. And if you prefer a report on network share permissions, they are also available for servers or entire domains. Its fast performance and impressive scalability allow you to quickly analyze entire file systems with confidence and efficiency. Furthermore, the tool also boasts a command-line interface so it can easily be integrated into custom scripts

The Permissions Reporter is available in a free basic edition, which is entirely free with no ads, malware, or spyware). To gain access to all of the tool’s advanced features, a professional edition can be purchased. It unlocks features such as report scheduling, advanced filtering, and more. The single-user pro license is only $69.00, even less when purchased in 5-packs or 10-packs. There are also site-wide, country-wide, and enterprise-wide versions available.

6. Netwrix Effective Permissions Reporting Tool

The Netwrix Effective Permissions Reporting Tool is a freeware tool from Netwrix that delivers actionable insight into who has permissions to what in Active Directory and file shares. It can help you ensure that employees’ permissions align with their roles in the organization. The tool’s reports enable you to see users’ AD group membership and file share permissions in a single report, along with whether those file share permissions were assigned explicitly or inherited.

The Effective Permissions Reporting Tool provides actionable information that you can use to rescind unneeded access rights, thereby ensuring users have only the permissions they need to get their jobs done. It can help reduce security risks by making sure your valuable data can be accessed only by eligible personnel. It is a simple-to-use NTFS permissions management tool that enables you to quickly track down any user’s permissions across Active Directory and file servers and to get ready-to-use reports in just a few clicks.

Such NTFS permissions tools can also help you ensure compliance by assisting you with the collection of proof that all permissions are aligned with job descriptions and employee roles in the organization. This is often mandated by regulatory frameworks such as SOX or PCI-DSS, for instance.

There’s only one drawback to the Netwrix Effective Permissions Reporting Tool. It won’t give you the effective permissions on a specific file or directory. It will only show the effective permissions held by a specific user or group.

This is one of the main reasons to consider SolarWinds Permission Analyzer for Active Directory and SolarWinds Access Rights Manager.