How it works

How does Permission Analyzer work?

Permission Analyzer supports different setups by either using the embedded database, or a central database server to share the scanned network data, filter definitions and reports. Please find the different overview diagrams below.

You can see here

Use the embedded database to scan NTFS permissions and to create overviews

The default setup depends on a single workstation or server. The scanning is done from a single machine and the information is stored in a local database file. The disadvantage of this setup is that the scanned information cannot be shared and that the workstation or server will have to scan all the remote file systems, which has the overhead of reading remote NTFS permissions over the network:
Use the embedded database to scan NTFS permissions and create overviews
The performance depends a lot on the network setup and hardware. Scanning local files using a local database scans about 25,000 files per minute and takes 1 MB database storage per 1000 files or directories. When scanning a NAS or using a remote database, much of the performance depends on the network environment.

Use a central database server to scan NTFS permissions and to share network data, filter definitions and reports

The second setup has a shared (external) database, which means that other team members / workstations can use the scanned information from the database to create overviews. The application supports Oracle, MSSQL, DB2, MySQL, PostgreSQL, H2 and Derby out of the box. User reports, policies and filter sets are stored in the database, so when you use a central database you can share that information between all the clients/workstations. Note that each workstation requires a license, Permission Analyzer is licensed on “per-installation” basis. The Basic and Standard Edition don’t support the use of an external database.
Use a central database server to scan NTFS permissions and to share network data, filter definitions and reports

Install Permission Analyzer on each file server and scan files locally while using a central database server to share information

The third setup may prevent the reading of remote permissions over the network and makes it possible to scan the file systems simultaneously. Every file server will scan its own local permissions and submits the information to a central database. Reading local permissions is a lot faster and the file servers can scan their permissions simultaneously. The file servers only require a (cheaper) Scan Agent license, which doesn’t support reporting, but only scanning the network. A Scan Agent is the same application installation (and download from the website), but it is activated with a Scan Agent license. This will only activate the scanning features of the application.

Use scan agents on the different file servers to scan NTFS permissions

Every scan agent can be scheduled using Windows Scheduled Tasks in combination with the application parameter “-scan”. You can view the scan results of every agent in a centralized view of either one of the scan agents or your workstation:
view_remote_logs_1

view_remote_logs_2

Using PowerShell scripts

PowerShell is a native Microsoft scripting solution, which allows you to scan the ACL’s of directories and files. PowerShell scripts are executed on the remote server (if necessary) and the result is saved locally. So instead of scanning the network using Permission Analyzer, you can use a PowerShell script to export all the ACL information to a text file which can be imported into Permission Analyzer. Execute a command-line and type “powershell”, you should see a command prompt that starts with “PS”. Copy and paste one of the following scripts to the command-line to export permissions.

PowerShell script to export the ACL of all (sub)directories and files to a text file:
(you can also use a network share as path, this will run the script locally on the remote server)
Get-ChildItem "C:\MyFolder" -Recurse | Sort-Object FullName | %{
$Path = $_.FullName
$IsDirectory = $_.PsIsContainer
(Get-Acl $Path) | Select-Object `
@{n='Path';e={ "$Path, d=$IsDirectory" }},
@{n='Access';e={ [String]::Join("`n", $( $_.Access | %{
"$($_.IdentityReference), $($_.AccessControlType), $($_.IsInherited), $($_.InheritanceFlags), $($_.PropagationFlags), $($_.FileSystemRights)" })) }}
} | Format-list | Out-File -FilePath C:\temp\permission_export.txt -Encoding UTF8

PowerShell script to exclude files (and only export directories):
Get-ChildItem "C:\MyFolder" -Recurse | Sort-Object FullName | ?{ $_.PsIsContainer } | %{
$Path = $_.FullName
$IsDirectory = $_.PsIsContainer
(Get-Acl $Path) | Select-Object `
@{n='Path';e={ "$Path, d=$IsDirectory" }},
@{n='Access';e={ [String]::Join("`n", $( $_.Access | %{
"$($_.IdentityReference), $($_.AccessControlType), $($_.IsInherited), $($_.InheritanceFlags), $($_.PropagationFlags), $($_.FileSystemRights)" })) }}
} | Format-list | Out-File -FilePath C:\temp\permission_export.txt -Encoding UTF8

PowerShell script to exclude inherited permissions:
Get-ChildItem "C:\MyFolder" -Recurse | Sort-Object FullName | %{
$Path = $_.FullName
$IsDirectory = $_.PsIsContainer
(Get-Acl $Path) | Select-Object `
@{n='Path';e={ "$Path, d=$IsDirectory" }},
@{n='Access';e={ [String]::Join("`n", $( $_.Access | ?{!$_.IsInherited} | %{
"$($_.IdentityReference), $($_.AccessControlType), $($_.IsInherited), $($_.InheritanceFlags), $($_.PropagationFlags), $($_.FileSystemRights)" })) }}
} | Format-list | Out-File -FilePath C:\temp\permission_export.txt -Encoding UTF8

The resulting text file has the following format:
Path : <path>
Access : <member>, <Allow/Deny>, <inherited ACE>, <inheritance flags>, <propagation flags>, <permissions>
<member>, <Allow/Deny>, <inherited ACE>, <inheritance flags>, <propagation flags>, <permissions>

For example:
Path : \\server01\Data\Projects\Finance, d=True
Access : YOURDOMAIN\Domain Admins, Allow, True, None, None, FullControl, Synchronize
YOURDOMAIN\pbrandon, Allow, True, ContainerInherit, InheritOnly, ReadAndExecute, Synchronize
YOURDOMAIN\gwatson, Allow, True, None, None, FullControl, Synchronize
YOURDOMAIN\Project Office, Allow, True, ContainerInherit, ObjectInherit, InheritOnly, Modify, Synchronize
YOURDOMAIN\Finance Auditors, Allow, True, None, None, FullControl, Synchronize

Path : \\server01\Data\Projects\Finance\Results, d=True
Access : YOURDOMAIN\Domain Admins, Allow, True, None, None, FullControl, Synchronize
YOURDOMAIN\pbrandon, Allow, True, ContainerInherit, InheritOnly, ReadAndExecute, Synchronize
YOURDOMAIN\gwatson, Allow, True, None, None, FullControl, Synchronize
YOURDOMAIN\Project Office, Allow, True, ContainerInherit, None, None, Modify, Synchronize
YOURDOMAIN\Finance Auditors, Allow, True, None, None, FullControl, Synchronize

Importing the PowerShell results
The text file that has been created can be imported into Permission Analyzer:
import_powershell

select_powershell

You can now scan the content of the text file the same you would scan a directory or share. Use the same command line options (“-scan”) to scan the text file periodically using Windows Scheduled Tasks. Note that Permission Analyzer scans ACL’s more than twice as fast as the provided PowerShell scripts.

Tip: Zip the text file to save storage and import the zip file directly into Permission Analyzer, the application will recognize the zip extension.

Permission Analyzer also supports files exported from a EMC Isilon NAS. See the Help button in the import dialog for more information.

Login
classic
Forgot password?
×
Registration

(*) Required fields

I agree with OptimaSales Terms & Privacy Policy


×