- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
A few days ago, SolarWinds released Permissions Analyzer for Active Directory, a new free tool that allows you to determine the effective NTFS permissions and share permissions for a network share and for a particular user or user group.
When a user has problems accessing a network share, the first thing to check is whether he or she has the appropriate NTFS permissions. The common way is to navigate to the folder and check the security properties with Windows Explorer.
Assuming that you follow common practice and only assign NTFS permissions to groups and not to single users, you can't see the effective NTFS permission this way. Moreover, since groups can have other groups as members, it can get tricky in some scenarios to guess the effective permissions.
To view the effective NTFS permissions for a particular user or group, click "Advanced" in the Security properties and then click "Effective Permissions."
So what can SolarWinds Permissions Analyzer do what you can't do with Windows Explorer?
First of all, it is much quicker to access the effective NTFS permission with the tool because you don't have to connect to the corresponding server and share. Instead, you can just enter the name of the share’s UNC path and the name of the user or group for which you want to calculate the effective NTFS permissions.
Second, the tool also displays the share permissions in a separate column and calculates the "total effective permissions" using the effective NTFS permissions and the share permissions. Newbie admins commonly, and mistakenly, believe that it is enough for a user to have effective NTFS write permissions to be able to write to files on a network share. If the user doesn't also have the explicit share permission to change files, then access will be denied if he or she tries to modify or create a file.
Last but not least, Permissions Analyzer also shows you why a certain user has NTFS and share permissions on a share. In the screenshot, you see that the administrator account has share rights because it is in the Everyone group; it has NTFS permission because it is in the administrators group and also because the administrator account has individual NTFS rights.
SolarWinds Permissions Analyzer for Active Directory supports nested groups from multiple domains. You can configure multiple admin accounts, which allows Permissions Analyzer to access multiple domains to determine all group memberships to calculate the effective NTFS permissions.
Note that the tool might not work properly on a domain controller because domain controllers are not granted the so-called impersonation privilege by default. The manual has more information about this privilege and how to assign it to domain controllers. In general, it is not recommended to use the Permissions Analyzer on domain controllers. It is better to launch it on your desktop.