Active Directory NTFS and Security Reports

    NTFS reports and security reports offer comprehensive visibility into permissions for folders, servers, subnets, and Active Directory (AD) objects, showing who has access and their permission levels. This help page explains how to generate and customize reports to view permission details and access rights in AD.

    In this document, you will learn how to do the following:

    • Generate reports from across multiple domains.
    • Apply filters for targeted results.
    • Refine results to include or exclude specific accounts or permissions.
    • View access details across directories and domains.

    To generate these reports in ADManager Plus, navigate to Reports > NTFS & Security Reports > NTFS Reports.

    The following reports are available in this category: Shares in the Servers, Permissions for Folders, Folders Accessible by Accounts, and Non-Inheritable Folders.

    Shares in the Servers report

    This report lists all the shares and their permissions in the specified server, along with their share names, ACE type, and permissions. It's used to manage shared resources, detect potential permission misconfigurations, and ensure appropriate access is maintained.

    How it works

    To generate the Shares in the Servers report, ADManager Plus first identifies the target server using its sAMAccountName. It then fetches all shared folders available on that server. Next, it retrieves the access control lists of these shares to identify the security principals with permissions and displays the corresponding access details for each share.

    How to generate the report

    1. Select the domain from the Select Domain drop-down.
    2. Select the servers whose shares you want to list from the Computers field.
    3. Click Refine Result to show or exclude specific folders, objects, or permissions.
    4. Click Generate.

    Permissions for Folders report

    This report lists all the objects that have access to folders in a specified path. It is used to manage folder-level access, ensuring only authorized users have necessary permissions. The report provides details such as access type, folder path, permission inheritance, and source of permissions.

    How it works

    To generate the Permissions for Folders report, ADManager Plus first locates the target server using its sAMAccountName. It then retrieves all shared folders on that server. Based on the folder level specified in the UI, it iterates through each folder and subfolders to fetch the corresponding security permissions, which are then displayed in the report.

    How to generate the report

    1. Select the domain from the Select Domain drop-down.
    2. Enter the shared resource path.
      • Example:
        • \\< file-servername >\< sharename >\< directory >
        • \\< dfs-namespace >\< sharename >\< directory >
    3. Use the Check for folder permissions up to drop-down to select the desired folder level.
    4. Click Refine Result to show or exclude specific folders, objects, or permissions.
    5. Click Generate.

    Folders Accessible by Accounts report

    This report lists all folders that the specified account has access to. It helps track folder-level permissions by showing which folders are accessible to the account and the type of permissions assigned (such as read, write, or full control).

    How it works

    To generate the Folder Accessible by Accounts report, ADManager Plus first identifies the target shared folders using the folder's path. Based on the access type and folder level selected in the UI, it iterates through each folder and its subfolders to retrieve their security permissions. It then checks whether any of the selected users or groups have the specified permissions on these folders. The report displays all permissions for folders where the specified access criteria are met by the selected accounts.

    How to generate the report

    1. Select the domain from the Select Domain drop-down.
    2. Select the user or group accounts whose folder access you want to verify from the Accounts field.
    3. Select the Windows server or DFS namespace to search for the folders that can be accessed by the specified user accounts from the Check for folders in field.
    4. Use the Check for folder permissions up to drop-down to select the desired folder level.
    5. Click Refine Result to show or exclude specific accounts or folders.
    6. Click Generate.

    Non-Inheritable Folders report

    This report provides the list of all folders that are restricted to inherit the permissions from their parent objects. It is used to detect exceptions in NTFS permission inheritance to ensure consistent access control across the file system.

    How it works

    To generate the Non-Inheritable Folders report, ADManager Plus first identifies the target folders using the folder's path and retrieves the selected shared folders along with their subfolders. Folders with inheritance disabled will be listed in the report along with their security principals.

    How to generate the report

    1. Select the domain from the Select Domain drop-down.
    2. In the Check for folders in field, enter the directory path.
      • Example:
        • \\< file-servername >\< sharename >\< directory >
        • \\< dfs-namespace >\< sharename >\< directory >
    3. Click Generate.

    To generate these reports, navigate to Reports > NTFS & Security Reports > Access Over Objects Reports.

    The following reports are available in this category: AD Objects Accessible by Accounts, Servers Accessible by Accounts, Subnets Accessible by Accounts, and Search Permissions.

    AD Objects Accessible by Accounts report

    This report displays the AD objects that the specified users or groups have access to. It lists details such as the object name, domain, and the account through which access is granted. This helps in identifying which AD objects are accessible by selected accounts for security audits and access reviews.

    How it works

    To generate the AD Objects Accessible by Accounts report, ADManager Plus first retrieves all AD objects within the specified domain. It then processes the selected user or group accounts and evaluates their access rights on these objects based on the specified access type. The objects that meet the criteria are listed in the report along with their permissions.

    How to generate the report

    1. Select the domain from the Select Domain drop-down. You can also select the organizational units (OUs) if required.
    2. Select the user or group accounts whose access you want to evaluate from the Accounts field.
    3. Click Refine Result to show specific objects or exclude inherited permissions or other permissions associated with the object.
    4. Choose Any Control or Full Control in the Select Access Type field to specify the desired level of access.
    5. Click Generate.
    6. Use the Showing objects accessible to: drop-down to filter down specific objects that were selected in step 3.
    7. Select the desired user or group accounts and click Remove to revoke the account's access over the listed objects.

    Servers Accessible by Accounts report

    This report lists servers that specific user or group accounts can access within the AD environment. It is used for security audits, access reviews, and compliance reporting to ensure that only authorized accounts have access to critical servers.

    How it works

    To generate the Servers Accessible by Accounts report, ADManager Plus first retrieves all servers within the specified domain. It then processes the selected user or group accounts and evaluates their access rights on these servers. The objects that meet the criteria are listed in the report along with their permissions.

    How to generate the report

    1. Select the domain from the Select Domain drop-down.
    2. Select the user or group accounts from the Accounts field to check which servers they have access to.
    3. Use the Showing servers accessible to: drop-down to filter down specific objects that were selected above.
    4. Click Generate.

    Subnets Accessible by Accounts report

    This report lists user or computer accounts that can access specific network subnets. It is primarily used for auditing and security analysis to track subnet-level access within an organization.

    How it works

    To generate the Subnets Accessible by Accounts report, ADManager Plus first retrieves all subnets within the specified domain. It then processes the selected user or group accounts and evaluates their access rights on these subnets. The objects that meet the criteria are listed in the report along with their permissions.

    How to generate the report

    1. Select the domain from the Select Domain drop-down.
    2. Select the user or group accounts from the Accounts field to check which subnets they have access to.
    3. Use the Showing subnets accessible to: drop-down to filter down specific objects that were selected above.
    4. Click Generate.

    Search Permissions report

    This report allows you to look up specific AD objects where selected users or groups hold particular permissions. It displays details like object name, domain, and the account through which access is granted.

    How it works

    To generate the Search Permissions report, ADManager Plus first fetches the object for which permissions are being checked, using its distinguished name, along with all its security permissions. It then retrieves a list of objects that need to be checked for access. Each permission entry is compared against these objects. If a match is found, the objects and their permissions are displayed.

    How to generate the report

    1. Select the domain from the Select Domain drop-down.
    2. In the Select Objects field, select the objects(s) that you want to verify permissions for.
    3. In the Search On field, select the objects for which you want to find permissions.
    4. Click Refine Result to select either Users, Groups, Computers, Contacts, OUs, or All objects.
    5. Choose the permissions you want to search for using the fields below:
      • Permissions: Select the permissions.
      • Applies to: Select whether the permissions should apply to only the target objects, a target object and its child objects, or only the child objects.
      • Type: Select whether the permissions should be allowed or denied.
    6. Click Generate.

    To generate these reports, navigate to Reports > NTFS & Security Reports > Permission Reports.

    The following reports are available in this category: Server Permissions, Subnet Permissions, Object Permissions, and Non-Inheritable Objects.

    Server Permissions report

    This report displays the users, groups, and other security principals who have access to servers, along with the type of permissions they hold (such as read, write, modify, or full control). It is used to audit server access and maintain proper access control across shared resources.

    How it works

    To generate the Server Permissions report, ADManager Plus first identifies the target servers and then retrieves all security principals of each server. It then parses the access control lists to extract the security principals with explicit or inherited permissions. Finally, it maps each principal to their respective access levels and displays those objects that have permission over the selected servers.

    How to generate the report

    1. Choose the domain from the Select Domain drop-down.
    2. Select the servers whose permissions you want to review from the Servers field.
    3. Use the Showing permissions on: drop-down to filter down specific servers that were selected above.
    4. Click Generate.

    Subnet Permissions report

    This report lists users and groups who have access to specific subnets in AD, detailing the type and scope of permissions. It helps with auditing and ensuring secure subnet access.

    How it works

    To generate the Subnet Permissions report, ADManager Plus first identifies the target subnets. For each subnet, it parses the access control lists to extract the security principals with explicit or inherited permissions. It then maps each principal to their respective access levels and displays those objects that have permission over the selected subnets.

    How to generate the report

    1. Choose the domain from the Select Domain drop-down.
    2. Select the subnet(s) whose permissions you want to verify from the Subnets field.
    3. Use the Showing permissions on: drop-down to filter down specific servers that were selected above.
    4. Click Generate.

    Object Permissions report

    This report lists the security principals that have permissions over all objects in the selected OUs. It is used for access reviews, security audits, and ensuring proper permission assignments.

    How it works

    To generate the Object Permissions report, ADManager Plus first fetches the selected objects. It then parses the access control lists to extract the security principals to identify all security principals—such as users or groups—who have explicit or inherited permissions over these objects. These principals are mapped to their permission types, and the report displays who has access and what level of control they hold.

    How to generate the report

    1. Choose the domain from the Select Domain drop-down.
    2. Select the users, groups, computers, or OUs for which you wish to view the security permissions from the Select Objects field.
    3. Click Refine Result to select either Users, Groups, Computers, or All objects.
    4. Use the Showing permissions on: drop-down to filter down specific objects that were selected above.
    5. Click Generate.

    Non-Inheritable Objects report

    This report lists AD objects that don't inherit from parent objects within the selected domain(s). It helps identify security exceptions and provides details like object name, permission type, and access rights for audit and compliance purposes.

    How it works

    To generate the Non-Inheritable Objects report, ADManager Plus scans the selected domain and fetches all AD objects. It then checks whether the Enable Inheritance option is disabled for these objects. Objects with inheritance disabled are listed in the report, along with their direct permissions.

    How to generate the report

    1. Choose the domain from the Select Domain drop-down. You can also select the desired OUs if required.
    2. Click Generate.

    Don't see what you're looking for?

    •  

      Visit our community

      Post your questions in the forum.

       
    •  

      Request additional resources

      Send us your requirements.

       
    •  

      Need implementation assistance?

      Try OnboardPro

       
    Copyright © © 2025, ZOHO Corporation.All Rights Reserved.