1

Has anyone ever dealt with reading and documenting share and NTFS permissions on Windows file servers? The volume to be examined is not small and is spread across four servers. Both the directory depth and the amount of data are considerable. Before we look into paid tools, we would first like to familiarize ourselves with the topic and gain some experience. For example, we would be interested in the possibilities of a report, the scope of the information to be expected, and useful filtering options.

In the first step, we are basically concerned with determining personal permissions, i.e., access that is not exclusively group-based. In the second step, the group memberships should then be resolved. All of this should then go through an initial review by the department heads and management. No active actions should be taken on the permissions, as would be the case in professional IAM systems, for example. A passive inventory is sufficient for us at this stage.

Does anyone already have experience with script collections and open source solutions? GitHub, for example, has a wealth of scripts on this topic, but a preselection with an exchange of experiences would be very helpful.

4 Spice ups
(Rod-IT) 2

Treesize will do this, but be cautioned.

For very large shares you will need.

  • A lot of ram on the host scanning the directories, it can be over the network if you purchase the professional edition
  • A long time to process them, especially if you want the contents of NTFS permissions (this is not enabled by default, you need to enable this in settings).
  • The report can be saved as many formats including HTML, PDF, XLX, CV etc, be aware each type has it’s limitation.
3

TreeSize wouldn’t be that expensive. There’s also a trial version available. That’s a plus. I’ve identified a few other candidates on GitHub that I’ve shortlisted.

  • AccessControlDsc (NtfsAccessEntry) [1]
  • NTFSSecurity [2]

Let’s see what I can do with it. Maybe I’ll get another tip. Either way, I can’t get around having to examine all directories first to determine which ones have explicit permissions. For directory trees with only inherited permissions, I can only focus on the parent directory.

[1] https://github.com/jcwalker/AccessControlDsc
[2] https://github.com/raandree/NTFSSecurity

4

Hi Thomas,

permissionsreporter is the toll that will help you in getting all the report you need in excel, xml and PDF formats. please check this once.

5

What do you mean when you say “Windows Active Directory File Server” and “volume spreads across 4 servers” ?

There are several methods of creating shares, examples like

  • main share root (d:\departments, then inside where you have have the subfolders)
  • many share roots (D:\IT, D:\HR, D:\Finance)

Then why are there “personal permissions” ?

Sadly if you give users Full Permissions (they can also share or create shares within shared folders) or that admins are adding users to chares and NTFS permissions, reports are literally useless as there is a web and changes can occur anytime ?
Worse if there are users who start using “DENY” then sometimes even admins (or tools & utilities) cannot access the folders and/or subfolders.

6

It is not the volume that is spread across four servers, but only the data. We simply have four file servers, each with a few terabytes of data. I just wanted to say that the amount of data to be analyzed is not small.

Finding this explicit permission is one of the reasons why we want to take a closer look. Over the time, an unregulated growth has been created that needs to be corrected. Then there are employees who have changed departments once or several times and whose privileges have always been extended but never reduced. The new change management system should modify the situation, but it won’t get rid of the legacy issues by itself.

We are all aware of this, but somewhere we have to start getting an overview of where the biggest concerns actually are. Once the concept of the permission audit is established, it will be repeated regularly anyway.

I have added to my list. Thank you very much.

7

Cjwdev | NTFS Permissions Reporter

there is a free or paid version. this dude made some great tools.

1 Spice up
8

Is already on my list…

Thx

9

if you ever go down the paid route look into Security Explorer by Quest.. it is a robust product that can wrestle anything involving file server permissions.

*not affiliated

10

I’ll keep that in mind, but put it on the hold position for now. At $700 for each server, it’s the most expensive tool on my list so far. But it can also change permissions, has many other features, and isn’t prohibitively expensive. It will become interesting if the results identify a need in this context. Thanks a lot for your feedback.

11

At least as I hoped, you did not run file servers on Domain Controllers…

I have at least 12,000 users in HQ alone (was 18,000 before kobid).
So when I transferred to HQ as CIO almost 11 yrs ago, to me file server permission audits were literally a waste of weekends for admins.

It was a top-down decision.

  • File Server(s) were created, some used NAS.
  • Shares were created at D:\Departments, E:\Apps (for certain applications), F:\Reports
  • Only Office files, no zip, no media files etc (so the file servers are more cleaned)
  • NAS had \NAS01\YYYY (eg 2023, 2024, 2025)
  • NAS stored files where all “Domain Users” have full access, Shares from 2 yrs ago will be set to read-only, only 3 yrs of files.
  • Unless specifically approved by HoDs & Management, users will not be given “cross departments” access
  • Access to Apps & Reports are based on user designation & roles.
  • All rights are controlled by Domain Controller Groups (one group per share)