- Monitoring Active Directory with the PowerShell module PSADHealth - Mon, Jan 20 2020
- Invoke-Command: Compensating for slow responding computers - Tue, Jan 7 2020
- Invoke-Command: Connecting to computers requiring different credentials - Tue, Dec 31 2019
Why you want this tool ^
I am going to let you in on a little secret: you don't need this tool. This tool does nothing you cannot do already with Windows tools, the command line, or by logging into a server. But you will want to add this tool to your toolkit for one reason: ease of use!
SolarWinds refers to their tool as PAFT for short (Permissions Analyzer Free Tool). The beauty of PAFT is that its easy-to-digest output, which I will show you in just a short while. As I previously mentioned, this tool is not providing any new functionality. Instead, PAFT just works better than almost all other tools I have used over the years for figuring out permissions on files and folders.
You could argue that the built-in tools inside the Windows GUI for querying permissions work just fine, and I would tend to agree with you. However, if you need to query permissions on three different file shares located on three different servers, you're probably either logging directly into those servers or using some sort of file explorer utility and then right-clicking to get to the permissions window. Again, there's nothing wrong with these methods.
With PAFT, it's one window where you simply enter a path and a user or group you want to know about and click a button. In a few short seconds, PAFT returns with a color-coded layout of permissions and other useful data. When it's time to move onto the next file or folder, just input a new path and click the button. So in short, this tool is about efficiency: fewer clicks to get the same information.
Installation of the tool is super simple: download the installer here , unzip, and launch the MSI. The installer takes exactly two clicks to install the product, and you are done. Once installed, it immediately presents you with a configuration window. The tool needs to have a connection to a local domain controller (DC) so it can calculate rights for users and groups. You will need to input the credentials of a domain admin account for the tool to work correctly. The need for domain admin creds is so it can calculate any file or folder in the domain without being logged into a server.
PAFT tool usage ^
Once you've configured it, all you need to do is input two fields of data: group/user info and file/folder info. Click Analyze, and the tool jumps into action. PAFT needs just a few seconds to reach out to the DC you configured earlier and calculate the results. In this first example, I am looking up the permissions for the domain users group on a file share on my network.
The results of the lookup clearly show in detail the exact permissions for members of the domain users group. SolarWinds has done a great job at presenting a lot of info in a pleasing way that is also simple to understand.
The results window lists every possible permission in the left column. The next column shows whether permissions are directly applied or inherited, with a button for an expanded view (that I will get to shortly). Then there are three columns containing green or red checkmarks. These represent NTFS permissions, Share permissions, and the Total result of those two permissions sets.
If I want to calculate permissions for another user, group, file, or folder, I can update the data fields at the top of the window and click Analyze, starting the process over again.
Let's take a closer look at rights for an individual account.
Here I calculated permissions for my account for the same share. But this time, I also clicked the + symbol next to a few inherited permissions. The PAFT tool does an excellent job of showing how permissions are calculated depending on an account's group membership.
Let's look closer at the Full Control permission set. You'll see a gray dot for NTFS and a green check for Share permissions. Let's break this down and explain it. The gray dot means there is no assigned or inherited NTFS permission for Full Control. The green check for the Share permissions mean there is a share permission that grants Full Control applied to this folder for the domain users group. The red check is the results of the two permissions. You'll recall that when you combine share and NTFS permissions, the lowest common set between them is the result. In this case, there are share permissions but no NTFS permissions, so the result is denial of Full Control for this user.
PAFT makes trying to understand the results of NTFS and Share permissions much easier. It does something we have all been doing as sysadmins for a long time, and it makes it easier and faster to do. PAFT is free, and there are absolutely no restrictions or limited-time trials. You can download it today here and use it on as many machines as you like without limits.
For more advanced user permission analysis and management, try SolarWinds Access Rights Manager. Access Rights Manager is a product from SolarWinds that will help you improve your IT and data security through:
- Active Directory monitoring
- Windows file share auditing
- Microsoft Exchange monitoring
- SharePoint access monitoring and management
- User provisioning and management
- User permissions analysis
Access Rights Manager is a suite of dashboards, configuration wizards, built-in reporting templates, and one-click actions that make it easy to perform everyday permissions and auditing tasks. If you want to go past what PAFT can do, Access Rights Manager is a huge leap forward while keeping things fairly simple and intuitive. There is a video featuring Access Rights Manager highlights that is worth a watch. Download a free 30-day trial of Access Rights Manager here.
I would also recommend that you head on over to the SolarWinds site and download PAFT . While there, check out the other free tools SolarWinds offers here. They have built a small arsenal of useful tools you can use without limits.