EVENT LOGS
NTFS REPORTING DIALOG
The main NTFS File Permissions dialog is shown here:
The top section of the dialog allows the user to configure which directories will be included in the report, and which subdirectories to exclude from the report. The bottom section defines the specific type of report which will be generated, including which fields to include. The specific options for each control are explained below.
Directories to Enumerate
The directories to enumerate for the report are specified here in a list. The directories should be specified in local directory form relative to the target system (eg: C:\test). Wild cards are not allowed in this list. Environmental variables can be specified which will be evaluated in each target system.
C:\FileShare
%SystemRoot%\System32Any number of directories can be specified to search in the list, and they will be searched in the order presented. All files in the directories will be included in the permissions report.
Note: Currently it is not possible to specify network share paths in UNC form (ie: \\server\share) to include in the report. This is because the permission report is run on the remote system in the context of LocalSystem, which does not have access to any off-system network resources (by design). In most of these cases, the desired report can be accomplished by running the permission report on the actual system which contains the network file share instead.
Directories to Ignore
This area allows designating which subdirectories of the search paths to ignore while doing the permissions enumeration. This is used primarily to exclude directories with large numbers of
uninteresting files from the permissions report. For example, if enumerating the files in the Windows directory, but the hotfix uninstall directories (which are named $NtUninstall*$) should be excluded, then set one of the directories to ignore to “*\$NtUninstall*$”, which would exclude files in these directories from being included in the file permissions report.
Note: At this time, the NTFS permissions for the excluded directories themselves will still be included in the report, but the files in the directories will be excluded.
Simple Report
This report type shows all the files and directories, with one line per file/directory. Each line contains the flags set in the security descriptor of the file system object, its owner, and the number of entries in the DACL for the NTFS object. Each line also contains entries for differences between the object and its parent object, which is indicative of explicit permissions set of the individual object. The individual columns are detailed on the section for this report type.
This report is primarily useful for ascertaining if there are explicit permissions defined for file objects in a directory structure, without specifically auditing what the permissions are. For example, if the user had a policy that all files under a specific directory had the standard permissions defined at the directory level, this report can be used to quickly very compliance with the policy, and identify/correct any divergences. Simple Reports with DACL Entries
This report type is a specific subset of the capabilities of the custom report type. Specifically, it is identical to a custom report with the options which are enabled when it is selected. Refer to the description of the custom report type for an explanation of the options/fields for this report. Custom Report
This report type shows all the DACL entries for each file system object (file/directory) in the report. Each DACL entry is shown as a separate line in the report (along with all the general information). The options allow configuration of exactly what is included in the report:
Show all directories – This option causes all directories to be shown in the report. With this option disabled, directories which have no files or subdirectories which would be shown in the report are automatically removed from the report as well. Disabling this option can help narrow down the resulting data to the objects of interest.
Show settings for all files in dir – Without this option enabled, the report will display one entry for each file in each directory (with one line for each DACL entry for each file object). If all the files in a directory have the exact same file permission settings, this can be a large amount of redundant information. With this option enabled, the application automatically merges the entries in the preceding case into a single entry (still with multiple lines for each DACL entry) to represent all the files in the directory. The entry will be labeled: [directory]\*.*.
Show inheritance column – This option governs whether the Inheritance column is shown in the report. This column is documented in the report description page.
Show notes column – This option governs whether the Notes column is shown in the report. This column is documented in the report description page.Context Menu Options for Report Results
In addition to the standard context options for reporting results, the NTFS file permissions report has the context option to Edit Security for the selected objects. This allows the user to open the standard
Windows security configuration dialog for the selected objects and manually edit the security for the objects.
The user is encouraged to use caution when editing the permissions of multiple objects at once, since the resulting permissions will be applied to all edited objects, regardless of their original permissions. Also, use caution when editing permissions for objects in different security contexts (eg: different domains), as accounts valid in one context may not be valid in all contexts, and this can result in errors when the settings are applied.
Also note that the editing is done in the context of the interactive user (the account which the application is being run under), as if the file object properties had been opened through a file share.