Managing file share permissions in Windows Server 2019 can be a complex task, especially when it comes to ensuring compliance and security. IT administrators are frequently tasked with generating reports that detail file share permissions for specific users or groups. Manually compiling these reports is time-consuming and prone to errors. Fortunately, several free and paid tools are available to streamline this process, acting as effective Windows Server 2019 Permission Reporters. This article explores some of the top tools that can help you efficiently generate these crucial reports and manage your NTFS permissions effectively on Windows Server 2019.
Free Tools for Windows Server 2019 NTFS Permission Reporting
For organizations seeking cost-effective solutions, several free tools offer robust features for NTFS permission reporting on Windows Server 2019.
1. Cjwdev NTFS Permissions Reporter Free Edition
NTFS Permissions Reporter from Cjwdev is a valuable free tool for generating reports on file and folder permissions within Windows Server 2019 environments. It allows you to export results seamlessly to HTML, making report sharing and analysis straightforward. A key feature is its ability to display group memberships, including both direct and nested groups, directly within the report. This provides a comprehensive view of access rights. Users can also customize report formats, choosing between a tree or table view, and utilize color highlighting to differentiate permission types, enhancing readability.
While highly customizable, the interface might initially appear somewhat dense. However, the tool is generally user-friendly once you become familiar with its layout. It is important to note that the free edition focuses on reporting NTFS permissions for folders. It does not directly show permissions from the perspective of a specific user, which is a limitation for certain audit requirements. Also, permission scanning time can vary depending on the size and complexity of the file system.
NTFS Permissions Reporter Interface
2. Netwrix Effective Permissions Reporting Tool
The Netwrix Effective Permissions Reporting Tool offers a quick and easy way to report on user permissions in Windows Server 2019. This free tool consolidates Active Directory (AD) group memberships and file share permissions into a single, clear report. It also distinguishes between permissions assigned explicitly and those inherited, which is critical for understanding effective access rights. This granular information empowers administrators to revoke unnecessary access, ensuring users have precisely the permissions needed for their roles, and supports adherence to data privacy regulations.
Its simplicity is a major advantage. Users simply input a user or group name to initiate a permission check. The scanning process is rapid, and exporting to HTML is intuitive. However, similar to some other free tools, it does not directly report on folder permissions. For folder-centric reports and more advanced features, Netwrix offers Netwrix Auditor for File Servers, which is available as a 20-day free trial.
Netwrix Effective Permissions Reporting Tool Interface
3. Microsoft AccessEnum
AccessEnum, a part of the Microsoft SysInternals suite, provides a swift overview of file system and Registry security settings in Windows Server 2019. It displays all permissions on file shares or the registry in a table format. This allows for rapid assessment of security configurations. However, a significant drawback is its limited export functionality, only supporting .txt format. This format can be cumbersome to analyze. To convert the data to a more manageable format like .xls, manual copying and pasting from the .txt file is required, adding extra steps to the reporting workflow.
Microsoft AccessEnum Interface
4. Permissions Reporter from Key Metric Software
Permissions Reporter from Key Metric Software offers similar functionality to Cjwdev’s NTFS Permissions Reporter but with a more visually appealing interface. Creating and downloading reports is user-friendly. Like the Cjwdev tool, it reports on NTFS permissions for folders and can export to HTML. However, it also shares a similar limitation: it does not directly report on user permissions. Permission scanning times can also be considerable depending on the scope of the scan.
Permissions Reporter from Key Metric Software Interface
5. SolarWinds Permissions Analyzer
Permissions Analyzer from SolarWinds caters to users who need detailed insights into user permissions on Windows Server 2019 without the need for exporting reports. It excels at displaying how user permissions are inherited, allowing administrators to browse permissions by group or individual user. The tool facilitates analysis of user permissions based on both group membership and directly assigned permissions. However, the inability to export data may be a limiting factor for those needing to share or archive reports.
6. NTFS Permissions Tools from MajorGeeks.com
NTFS Permissions Tools from MajorGeeks.com provides a lightweight solution for managing file permissions within NTFS file systems on Windows Server 2019. Designed for administrators who require a streamlined access rights management tool, it enables bulk modifications of permissions and security settings. Its key advantage over the built-in Windows permission management tools is its efficiency in applying changes, saving time when managing permissions at scale.
NTFS Permissions Tools Interface
BONUS Free Tool: PowerShell for Windows Server 2019 Permission Reporting
For advanced users comfortable with scripting, Microsoft PowerShell provides a powerful and flexible approach to Windows Server 2019 permission reporting. PowerShell scripts can be customized to extract specific permission data and export it into various formats, such as .csv.
Here are example scripts for exporting folder and user permissions to .csv format:
PowerShell script for exporting folder permissions:
$OutFile = "C:Temppermissions.csv"
$Header = "Folder Path,IdentityReference,AccessControlType,IsInherited,InheritanceFlags,PropagationFlags"
Del $OutFile
Add-Content -Value $Header -Path $OutFile
$RootPath = "\fs1shared" # Replace with your root path
$Folders = Get-ChildItem $RootPath -Recurse | Where-Object {$_.psiscontainer -eq $true}
foreach ($Folder in $Folders){
$ACLs = Get-Acl $Folder.fullname | ForEach-Object { $_.Access }
Foreach ($ACL in $ACLs){
$OutInfo = $Folder.Fullname + "," + $ACL.IdentityReference + "," + $ACL.AccessControlType + "," + $ACL.IsInherited + "," + $ACL.InheritanceFlags + "," + $ACL.PropagationFlags
Add-Content -Value $OutInfo -Path $OutFile
}
}Sample report: (CSV file will be generated at C:Temppermissions.csv)
PowerShell script for exporting user permissions:
$users = Get-ADUser -Filter * -SearchBase "OU=YourOU,DC=YourDomain,DC=com" #Modify OU and Domain
$report = @()
$rootPath = "\fs1shared" # Replace with your root path
foreach ($user in $users) {
$path1 = Get-Acl -Path $rootPath -Filter * -ErrorAction SilentlyContinue | ? { $_.AccessToString -like "*$($user.SamAccountName)*" } | select -ExpandProperty AccessToString
if ($path1) {
$obj = New-Object PSObject
$obj | Add-Member -MemberType NoteProperty -name "User" -Value $user.SamAccountName
$obj | Add-Member -MemberType NoteProperty -name "Permissions" -Value $path1
$report += $obj
}
}
$report | Export-Csv -Path "C:tempuser_permissions.csv" -NoTypeInformationSample report: (CSV file will be generated at C:tempuser_permissions.csv)
PowerShell Sample Report
Paid Tools for Windows Server 2019 NTFS Reporting and Management
For organizations requiring more comprehensive features, robust reporting, and dedicated support, several paid tools offer advanced capabilities for NTFS permission management and reporting on Windows Server 2019.
1. Netwrix Auditor for File Servers
Netwrix Auditor for Windows File Servers provides in-depth visibility into Windows file servers, including detailed insights into NTFS permissions. It delivers a complete view of effective permissions, broken down by user and object, across multiple file servers and shares. It also clarifies whether permissions are directly assigned or inherited through group memberships. Furthermore, it facilitates regular user access reviews, helping data owners manage and reduce permission sprawl, a common security risk.
Beyond permission reporting, Netwrix Auditor monitors all changes and access events (successful and failed) within your file storage environment. This enables rapid detection of privilege escalation attempts and other suspicious activities. It can even identify duplicate files and stale data, contributing to storage optimization. The tool includes pre-built reports that streamline NTFS permission audits and simplify compliance reporting for regulations like PCI DSS, SOX, and HIPAA. A 20-day free trial is available for evaluation.
Netwrix Auditor for File Servers Interface
2. JAM Software TreeSize
TreeSize primarily focuses on storage analysis, but its paid versions extend into permission analysis, making it a versatile tool for Windows Server 2019. While a limited free version exists, the full version, available as a 30-day free trial, offers advanced features relevant to permission reporting. The free edition is well-regarded for its fast scanning speeds and ability to analyze storage across various locations, including network drives and cloud storage. It can categorize scan results by owner, file type, size, and other criteria across the entire file system, aiding in identifying large or old files.
The paid version expands on this by analyzing file owners and permissions, NTFS compression rates, and more. It can process NTFS Alternate Data Streams and Hardlinks, export results to various formats, and supports command-line automation, making it suitable for complex reporting and management tasks.
3. AlbusBit NTFS Permissions Auditor
NTFS Permissions Auditor from AlbusBit is specifically designed for reviewing and analyzing NTFS folder permissions on Windows Server 2019. The free version provides essential details like full path, owner, last modified date, inheritance status, and a comprehensive list of permissions in both hierarchical folder and account views. This offers a solid foundation for basic permission auditing.
The Pro version unlocks advanced features, including report filtering by criteria such as account name, SID, or department. It also offers permission change analysis, export to multiple formats, report customization, and automation capabilities, catering to more demanding audit and reporting requirements.
AlbusBit NTFS Permissions Auditor Interface
4. Vyapin NTFS Security Management Suite
NTFS Security Management Suite from Vyapin is a comprehensive solution for NTFS management on Windows Server 2019, going beyond simple permission reporting. It consists of three integrated modules:
- NTFS Security Auditor: Scans network shares, folders, and files; automates permission inventory on a schedule; and compares Access Control Lists (ACLs). It includes a variety of pre-built reports for system administrators and compliance officers.
- NTFS Change Auditor: Tracks and analyzes permission changes in designated locations, providing audit trails for security modifications.
- NTFS Security Manager: Simplifies native permission management tasks, making it easier to modify and control access rights.
Vyapin offers a 15-day evaluation copy of the NTFS Security Management Suite for potential users to test its full capabilities.
5. DSRAZOR from Visual Click Software
DSRAZOR from Visual Click Software is a versatile and highly customizable reporting tool for Windows Server 2019 administrators and compliance auditors. It enables granular permission analysis for specific files or folders. Reports are highly adaptable and can include specific Active Directory attributes for each user or group, allowing auditors to tailor reports to meet precise requirements. DSRAZOR also provides comprehensive reports on inactive, locked, or disabled Active Directory accounts, and can identify unused accounts within a specific timeframe, aiding in security and resource management.
While praised for its extensive features, DSRAZOR has a steeper learning curve. Users may find the report design tool less intuitive, and the initial setup process can be complex compared to simpler tools.
DSRAZOR Interface
FAQ
Where are NTFS permissions stored in Windows Server 2019?
NTFS permissions in Windows Server 2019 are stored within the Master File Table (MFT) of the NTFS file system. The MFT is a central database that holds metadata for all files and folders on an NTFS volume. This metadata includes file attributes, names, timestamps, and importantly, security descriptors. Security descriptors contain the NTFS permissions assigned to each file and folder, governing access control.
When NTFS permissions are set, they are recorded as part of the security descriptor within the MFT entry for that specific file or folder. The operating system then references this information to enforce access control whenever a user or process attempts to interact with the file or folder.
How do I manage NTFS permissions on Windows Server 2019?
Managing NTFS permissions on Windows Server 2019 involves controlling access to files and folders. Here’s a step-by-step guide:
- Identify Target: Locate the specific file or folder for which you need to manage permissions.
- Access Properties: Right-click on the file or folder and select Properties from the context menu.
- Navigate to Security Tab: In the Properties window, click on the Security tab. This tab displays the current NTFS permissions.
- Edit Permissions: Click the Edit button to change permissions. For more advanced settings, click Advanced.
- Grant or Deny Permissions: On the Permissions window, you can grant or deny various permissions like Full Control, Read, Write, or Modify for specific users or groups.
- Apply Changes: After configuring the desired permissions, click Apply and then OK to save your changes.
Exercise caution when modifying NTFS permissions, as incorrect settings can lead to access problems or security vulnerabilities.
How do I audit NTFS permissions in Windows Server 2019?
Auditing NTFS permissions in Windows Server 2019 allows you to track access attempts to files and folders. To set up auditing:
- Enable Auditing: Right-click the file or folder, select Properties, and go to the Security tab. Click Advanced, then navigate to the Auditing tab.
- Add User/Group for Auditing: Click Add and select the user or group you wish to audit.
- Select Audit Actions: Choose the specific actions to audit, such as Read, Write, Delete, or permission modifications.
- Apply Audit Settings: Click OK to apply the audit settings and close the dialog boxes.
- View Audit Logs: To view audit logs, open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter. Navigate to Windows Logs > Security. Look for Event ID 4663 events, which indicate file or folder access attempts.
Dirk Schrader is a Resident CISO (EMEA) and VP of Security Research at Netwrix. With 25 years in IT security and certifications like CISSP (ISC²) and CISM (ISACA), he focuses on enhancing cyber resilience against modern cyber threats. Dirk’s global cybersecurity experience spans technical, sales, marketing, and product management roles in both large corporations and startups. He is a published author on change and vulnerability management for cyber resilience.
