G-TAC Software developed FolderSecurityViewer, a lightweight Windows desktop application that makes analyzing and reporting on NTFS file and folder permissions a snap. The product is available as a free trial.

Timothy Warner

Timothy Warner is a Microsoft Cloud and Datacenter Management Most Valuable Professional (MVP) who is based in Nashville, TN. Check out his Azure and Windows Server video training at Pluralsight, and feel free to reach out to Tim via Twitter.

Here's the situation: your organization needs to certify with an international security compliance standard, and you're frustrated with the Windows Server built-in tools for analyzing NTFS effective permissions and determining resource ownership.

For example, the Effective Access tab in Windows Server requires quite a bit of navigation even to get to:

  • right-click a folder and select Properties
  • navigate to the Security tab and click Advanced
  • navigate to the Effective Access tab and select a user
  • select a device and click View effective access
Viewing effective access in Windows Server 2016

Viewing effective access in Windows Server 2016

Whew--that's a lot of work. Windows doesn't let you easily print those results, and you're in for a lot of clicking if you need to review dozens of folders.

To that end, the Germany-based independent software vendor (ISV) G-TAC Software saw this situation as an opportunity to develop an easy-to-use front end for inspecting and reporting on NTFS permissions. Their product is FolderSecurityViewer, and I'd like to show it to you now.

Installation and configuration ^

G-TAC offers a 14-day trial version that, sadly, is feature-limited. It took me all of 20 seconds to install FolderSecurityViewer on one of my Windows Server virtual machines. Supported Windows versions are Windows 7 through Windows 10, and Windows Server 2008 through Windows Server 2012. The software worked fine for me on Windows Server 2016.

Here are the other installation requirements:

  • You must run the software as an administrator.
  • File servers you wish to analyze must be members of an Active Directory Domain Services (AD DS) domain.

Specifically, FolderSecurityViewer is a Windows Presentation Foundation (WPF) desktop application that requires no external database connection. (G-TAC plans to add this functionality to the Company and Enterprise Editions later this year.) Note that you don't have to install the tool on all your file servers. You simply install FolderSecurityViewer on your administrative workstation and you can then analyze the shares of an unlimited number of servers.

That said, open the tool and click Settings to review customizable options. For example, the following screenshot shows that we can limit FolderSecurityViewer to a particular scan depth to enhance performance. You can also customize which Active Directory user properties to display in output.

FolderSecurityViewer settings dialog

FolderSecurityViewer settings dialog

Analyzing folder permissions ^

Use the Folders tree to find a folder you want to analyze. Next, right-click the object and select Trustees Report from the shortcut menu. I show you this in the next figure.

Viewing folder trustees

Viewing folder trustees

In FolderSecurityViewer nomenclature, trustees are Active Directory user accounts that appear on an object's NTFS discretionary access control list (DACL). In the example above, my Tim account has Full Control access to the AD-Scripts folder, and the user Pat Stroh has Read access.

If you want to see the folder's ACL from Windows' perspective, click Access Control List in the FolderSecurityViewer interface. The following figure shows all access control entries (ACEs), including AD groups and system identities.

Viewing the Windows DACL

Viewing the Windows DACL

NOTE: G-TAC chose the software's name FolderSecurityViewer intentionally. That is because you cannot modify NTFS permissions in any way. Instead, this is purely an analysis and reporting tool.

Now navigate to the Folder Report tab. This lists metadata statistics, including owner, file count, and size for the current folder as well as for nested subfolders. Here is that view:

FolderSecurityViewer folder report

FolderSecurityViewer folder report

In summary, you can use FolderSecurityViewer to scan folder hierarchies quickly to answer security-related questions such as:

  • Do any users have access to these resources they shouldn't have access to in the first place?
  • Which users have too many or too few permissions to a given resource?
  • Where are there permission-inheritance conflicts that may prevent legitimate users from accessing resources?

Analyze resource owners ^

In FolderSecurityViewer, select a folder in the Folders view. Next, change the view to Users & Groups. Browse your Active Directory domain in the tree view and identify a user to inspect. Last, right-click the user and select Show Owner Report from the shortcut menu.

Viewing the owner report

Viewing the owner report

Being able to identify resource owners easily is valuable to Windows systems administrators because we can isolate the source of resource access problems. We can also find all the resources owned by, say, users the company no longer employs. You then have the information you need to take ownership of the resources and potentially reset NTFS permissions.

Compare folders ^

You can find permissions differences between a higher-level folder and a subfolder. With deeply nested folder hierarchies, this can save significant time. In FolderSecurityViewer, generate a trustee report for a parent folder.

The Differences button shows how many differences exist in subfolders. Double-click an entry in the Differences window to see the trustees of that child object. I show you this in the following screen capture.

Comparing folder permissions

Comparing folder permissions

In the above figure, the parent folder AD-Scripts has tim and pat as trustees. However, the nestedtemplates subfolder has only tim. Problem solved!

Export reports ^

To generate a report in Excel, CSV, or HTML format, click the Export button shown in the following figure.

Exporting a report

Exporting a report

You'll then be prompted to select a report output format and a subsequent action as shown here:

Choosing an export file format

Choosing an export file format

The following screenshot displays a typical report as seen in Microsoft Excel.

Viewing a report in Excel

Viewing a report in Excel

Wrap-up ^

G-TAC sells FolderSecurityViewer in three editions:

  • Standard: Installation on up to 2 computers, 500 AD user limit – 290 EUR
  • Company: Unlimited installations, 3,000 AD user limit – 1,490 EUR
  • Enterprise: Unlimited installations, unlimited AD users – 2,990 EUR

Check G-TAC's order page for more details. FolderSecurityViewer provides administrators with a dead-simple NTFS permissions analysis and reporting tool. The learning curve is short, and the impact is potentially high enough for you to warrant the license cost.

Win the monthly 4sysops member prize for IT pros

Share
4+

Users who have LIKED this post:

  • avatar

Related Posts

0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account