IT-Admins Tool – NTFS ACLs

The NTFS Access Control Lists – or short NTFS ACLs – are hard to investigate and analyze with standard Windows tools. When do they actually break up like additional rights or complete break ups and different rights apply at a certain path.

In order to overcome this challenge, the IT Admins Tool actually is able to read a NTFS path in while it will let you chose a folder to start with and a path depth on how many sub-folders you want to investigate. This is not limited to folders, as NTFS rights do apply to folders and files. Therefor you can as well read in files, instead of just folders.

Example:

You are in a situation where you don’t know if another admin did change rights in a path, you wonder why or why not a certain user does have access to this path or you simply want to see who actually has access. It becomes more challenging when there are cascaded groups involved and you simply want to see who really has access.

The solution is to read the path in, click on the NTFS ACL entry you want to look in and see who is a member of the group, or even members of sub-groups.

NTFS ACLs means nothing else then NTFS rights. This part of the IT-Admins Tool is actually able to investigate a file-/folder-structure in detail, determine any right changes within the defined path-depth on folder-level or even file-level (will take longer to read) and eventually letting you analyze the actual permissions.

It will show in different colors where rights changed, access was denied or the path was to long for windows. If something happened in a sub-directory, the parent directory/directories will change their color and indicate that a change or issue was detected in a sub-folder/file.

Choose path

First of all you need to click on   to select a path. This can either be a network-drive/sub-folder or a UNC-oath.

Path depth

The Path depth is set to 5 by default, meaning that no more than 5 sub-directories from the selected path will be

investigated. Please adjust this setting to your needs, up to 9999.

Note, the deeper you go, the longer the read will actually run. Deeper means also more accurate on the other hand.

Only 1st Level information

Select  to read only direct group-memberships. This will increase the reading-speed but show you less information like sub-groups.

Options

This allows you to choose from the following options, when you move your mouse over the field.

Influence for the exports

Ignore DFSRprivate folders

On a DFS folder structure, depending on your access level, you might be able to see and access a directory structure DFSRprivate. This will have many various rights and is actually a DFS “working” directory that is needed by the DFS for replication and change tracking. This directory structure normally can be ignored.

 

Owner not resolvable

This will export every single object for which the owner was not resolvable!

Right SID not resolvable

This will only export the not resolvable right if it was not inherited. This means, only the first occurrence of this not resolvable right SID will be exported, if it is inherited by sub-folders or files, those objects will not be exported.

Note: Other than for the export, every single node in the tree-view will be marked and shown, only the export will ignore those sub-objects since they will inherit the right and this would cause a huge export if a right SID was not resolved but inherited in a deeper directory structure. This would make the export hard to read and is not needed at all.

Read Folder/Files

Click either on “Read Folders” to only read the folder-structure or “Read Folders and Files” to investigate down to the file-level, what might show up long file-names as well instead of just to long folder-paths.

Export buttons

Export NTFS ACLs

This will export into a CSV-File with a list of folders/files with changed rights, additionally it will add columns at the end to export the owner and NTFS-Rights information, but no group-memberships. Those will be repeated in the export till all of them are exported.

XML Export

This will create a structured .XML file for each file/folder with changed rights. The XML export additionally exports other Information like attributes and detailed rights, other than the .CSV-export.

XML Full Export

This will export everything that was investigated, instead of just the files/folders with changed rights.

Note: Depending on the amount of data you read in, this might generate a huge XML file.

Working with the navigation

Click on a folder/file in the tree-view (left side) to show the details on the right side like the owner, groups-/users that have NTFS security rights (as far as their SIDs where translatable) and once you click on a e.g. group in the NTFS-rights table, the members/sub-members of this group from Active-Directory.

Please Note: The group-membership will be read in real-time from Active-Directory. This is not exportable and to keep the sure amount of data that will be initially read and the time it takes to get those information, this is not cached and just read from Active-Directory the moment you click on an entry in the NTFS-rights table.

The different colors and their meaning

  • Black:                    This indicates that nothing changed to the previous folder.
  • Orange:                A change or issue was detected in a sub-folder/file.
  • Purple:                 Access denied – cannot read ACL
  • Turquoise:          Long filename/path or other error
  • Red:                       A right change on this folder/file was detected.
  • Green:                  Either the owner SID or a right SID could not be resolved into a common name.

The tree-view

The picture shows all possible states. It indicates that it can be broken down to the file-level if necessary.

Context-menu in the tree-view

You can use the right mouse-button/context-menu in the tree-view on any folder/file and choose from the following options:

Show in Explorer: opens the parent folder in Windows-Explorer and selects the chosen file/folder

Please note: Due to some Windows restrictions this might not work if you execute the software as another user within a Windows session.

Copy Path: Copies the path of the current item to the clipboard

Export Tree-View structure: This will export the current available tree-view structure (folders or files and folders available) in a simple two column .csv file. Column one is the type (folder or file) and column two will hold the complete path to the folder or path. It will not export any rights. A simple and complete export of what was found, depending on the path depth.

Directory information

As indicated in the screenshot, you will see the following information once you click on any folder/file in the tree-view:

Owner (if readable)

The Owner of the file/folder that was selected.

NTFS Rights (if readable)

All NTFS rights that are set on the file/folder – with information in the following columns:

  • Inherited:                            was the right inherited from the parent folder?
  • User-/Group-Name:        Username/group-name or SID of the object if not resolvable
  • Right Type:                         grants or denies – if a right is denied (what has priority) the cell will be RED
  • Rights:                                  the descriptor of the ACL
  • Inheritance:                        how this right will be inherited by child files/folders
  • Right Details (13):             13 columns that show the rights in detail – please see right-details

Members

If you select a Group in the “NTFS Rights” table, the IT-Admins Tool will do a real-time request against active directory and show you actually is a Member of this Group or through Sub-Groups and therefor will be influenced by this ACL.

Additional Information

Next to the NTFS-rights is the register-card “Infos” where you can see additional file-/folder information.

On the right site you see some statistics for all sub-paths/elements underneath the selected path. Those show you how many times an ACL breakup (changed ACL) occurred, how many ACL read errors (no access) occurred, how many times to long path names/other issues have been detected etc.

Please note: Those statistics are only as accurate as the max. Path-depth you configured.

The total sub-files size can only be calculated if you searched for folders and files.

Right Details

Depending on the selected row you will see the rights detailed on the “Right Details” register-card. This is the same information that you are able to see in the 13 columns on the right in the row. The information is mirrored here to make it easier to see, instead of scrolling left and right in the table.