FolderSecurityViewer: Analyze and report on effective NTFS permissions

We looked at FolderSecurityViewer early last year, and that article covered all the basics. In this review, I'll look at the new features available in the 1.13 version—you can download a trial here. If you don't read Tim's earlier piece, the two-sentence summary is that FolderSecurityViewer is an application that easily lets you analyze and report on effective NTFS permissions on local and remote file shares. It traverses nested Active Directory (AD) groups to find all effective permissions and lets you save reports to a database.
Contents of this article

The problem FolderSecurityViewer addresses comprehensively is one any administrator is going to be familiar with. A complex nested group structure in AD built up over many years applies to multiple file shares on multiple file servers. Working out (and reporting on) exactly who's got access to what is exceedingly difficult and time-consuming. FolderSecurityViewer makes it easy, not just as a one-off thing, but it also tracks changes over time.

FolderSecurityViewer share report

FolderSecurityViewer share report

What's new ^

This improved version brings the following to the table:

  • Comparison of saved reports
  • AD Browser to walk through the organizational unit (OU) structure, select an AD group, and see its members (recursive browsing of a group is possible)
  • Feature tour: guides a new user through all features
  • Share report enumerating all servers, shares of a network, and OUs
  • Introduces a command-line interface (CLI) usable with scheduled tasks; writes to any target (CSV, HTML, XLS, or DB, if configured)
  • User permissions report

Let's take a look at each of these. The ability to compare reports of similar folders or the same shared folder from two different points in time is powerful. It shows you what's the same in both sets of effective permissions and any added, removed, or modified entries.

The explorer view of your AD OU structure is very useful and allows you to drill down to find specific groups in OUs and then find any nested groups inside those groups.

FolderSecurityViewer AD Browser

FolderSecurityViewer AD Browser

I found the feature tour very useful—pick a tour, and small pointers appear on top of the UI explaining step by step how to use each part of FolderSecurityViewer. It got me up to speed on the UI and capabilities very quickly.

FolderSecurityViewer feature tour in action

FolderSecurityViewer feature tour in action

The share report lets you scan your network for servers and their shares, add servers manually by name, or pick them from AD. After adding them, you see all the servers and their shares, making it easy to pick the shares you need to investigate or report on.

The addition of a command-line version makes FolderSecurityViewer much more versatile. You can schedule this to run on a regular basis to create folders, permissions, or owner reports as Excel, HTML or CSV reports (just like the GUI version does). You can also store the reports in the database (the built-in one or an external SQL 2008+ server). I can imagine scheduling scans of all file servers once a week and then using the new compare share report to identify changes to permissions.

FolderSecurityViewer command line tool

FolderSecurityViewer command line tool

One tricky situation is where a user account has different permissions in a lower folder in the hierarchy of folders than in the root. The improved user permissions report breaks this out nicely and analyzes the entire hierarchy. This allows you to see whether rights have been directly assigned to the user or inherited from a group.

The new user permissions report

The new user permissions report

Other interesting features include the ability to exclude groups from reports and being able to translate or give a custom name to items such as access control types and file system rights.

Conclusion ^

I found FolderSecurityViewer very easy to use and powerful for the specific tasks it addresses. If you've got the General Data Protection Regulation (GDPR) or any other regulation requiring you to show who's got access to what, FolderSecurityViewer is the solution I would recommend. It's available in a free tier, a Company version that scales to 3,000 objects in AD, and an Enterprise version that has no scale limitations.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads by becoming a member!


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2020


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account