Generating NTFS Permissions Reports with Goverlan

goverlan-ntfsGenerating NTFS Permissions Reports with Goverlan

The combination of a report on NTFS permissions for a corporate share and a report on AD group memberships helps define the who has access, what level of access, where do they have access, etc. The unanswered questions seems to be WHY? As in why should I (or you) care about NTFS permissions reports?

Here are a couple of good reasons why you may want to be able to build and customize your own NTFS permissions reports.

  1. New user provisioning – If part of your provisioning process includes running a quick live audit to ensure your new user had access to the files and folders necessary, you will reduce help desk requests and new user frustration.
  2. User role changes – Users change roles and need access to new resources. Unraveling security group permissions can be a nightmare for a simple role change.
  3. Terminating users – Running an audit (report) after an employee gets terminated just to ensure you revoked access. This is especially important for organizations with compliance mandates. See the Goverlan Terminating Employee Scope Action example.

Here is why Goverlan is great for NTFS permissions reporting.

  1. It is native, as in there already. Nothing to configure, add, purchase etc. You are minutes away from automating this if you are a customer
  2. You can fully automate both generating and delivering the reports, including automated and scheduled delivery to department heads, auditors, etc.
  3. You can combine Group memberships reports with NTFS permissions permissions reports and understand each individual user’s level of access.

Good thing you are on top of your game and didn’t overlook this important set of reports. Reporting on NTFS permissions is done in a few simple steps using Goverlan.

  1. Create a Scope Action
  2. In the Scope, add the machines (servers) that host the corporate shares.
  3. In the actions section, navigate to Report Computer Property >> File System Permissions >> Manage Accessible Directories
    Creating an NTFS permissions report via Goverlan custom actions
    Creating an NTFS permissions report via Goverlan custom actions
  4. From here you will access the Accessible Directory Paths Manager. Use this to define names for directories that you want to report on. You can also define the report “depth” using the Include sub-directories and level deep settings. This will define how many folders within folders Goverlan will report on.NOTE: If you want to create a report on a NETWORK SHARE, you have to point the accessible path at the SERVER that is hosting this network share and its EXACT path. See the example below.
    Accessible Directory Paths Manager
    Accessible Directory Paths Manager


  5. Goverlan also supports the use of Windows variables and wildcards in the file path so you can focus your reports to specific folders, file extension, etc.
    Accessible file path manager
    Accessible file path manager
  6. Once you have defined a reporting path and given it a name you can then add columns to your report. Goverlan will report on basic access type or extended (with read/write attributes) as well as permissions inheritance.
    Goverlan NTFS permissions report column headers
    Customize which columns to include in your report

Example: NTFS Permissions Audit for Corporate Share – Sales Directory

In this quick example we are going to use 2 reports that are native to Goverlan to audit the Sales Directory on our Corporate Share.

We need to make sure that the right employees have the right access. The first report we will look at is a Group Membership report. This will allow us to audit (report on) all Sales group members and ensure that the necessary folks are included.

Members of the Active Directory Sales group.
Members of the Active Directory Sales group.

 Now we can report on the access level this group of users has.

Sales group access level
Sales group access level

Here is a link to a knowledge base article for more information:

Feel free to comment or contact us for additional details. Also, if you need this in a hurry and you are not a Goverlan customer (yet), our trial is FULLY functional for 30-days.

Leave a Reply