Documentation forSolarWinds

Permissions Analyzer tool

Use the Permissions Analyzer tool in ETS for the Desktop to get a complete hierarchical view of the effective permissions and access rights for a specific file folder (NTFS) or share drive. You can see what permissions a user has and from where (group membership or direct permissions).

Open the Permissions Analyzer tool

  • To launch the tool from the Toolset Launch Pad, locate the Config Transfer tool and click Launch.

  • You can also add the tool to a tab in the Workspace Studio, and access it from there.

About using active domain controllers

To allow the tool access to permission and security information, admin rights are needed for any paths that are being analyzed. Usually (but not always) the domain admin account has admin rights to local machines. The "active" domain controller account is used when accessing the specified path's local file system permissions and memberships. The "non-active" credentials are used when collecting membership information from active directory. The user might be a member of a group which, in turn, might be a member of another group, etc. Because one of those groups might originate from another domain, the tool checks the credential collection for a credential set that can be used on the remote domain to acquire information. If no match is found, the active domain credentials are used. By allowing the IP address or device name, the user is able to specify the exact domain controller they want to use for a given domain.

Impersonate privilege on a domain controller

In order to function properly, the Permissions Analyzer tool must impersonate a domain admin account. Impersonation is a privilege that most workstations are granted by default. Most servers are granted this privilege by default as well. However, domain controllers are generally not granted the impersonation privilege by default. Running this tool on a domain server will fail to access all the required security elements for analysis unless the following actions are taken to prevent issues. SolarWinds does not recommend running this tool on domain controllers, but if you are required to do so, complete the following steps to manually assign Impersonate a client after authentication.

  1. Click Start > Programs > Administrative Tools > Domain Controller Security Policy.

  2. Click Security Settings.

  3. Click Local Policies, and then click User Rights Assignment.

  4. In the right pane, double-click Impersonate a client after authentication.

  5. In the Security Policy Setting window, click Define these policy settings.

  6. Click Add, and then click Browse.

  7. In the Select Users or Groups window, select the account name or names (admin, user, etc), click Add, and then click OK.

  8. Click OK, and then click OK again.

  9. To enforce an update of computer policy use either the secedit or gpupdate commands, depending upon your operating system.

Configure Permissions Analyzer

Secure connections to Active Directory are not supported.

  1. Open the Permissions Analyzer tool.

    The first time you start Permissions Analyzer, the settings window opens automatically.

  2. If the Settings window does not automatically open, click the Adjust Settings icon .

  3. Enter the domain controller host name or IP address in the Domain Controller Name or IP Address field.

  4. Enter the name of the domain in the Domain Name field. Use the full name of the domain.

  5. Enter the domain admin user name and password in the associated fields, and then click Add Domain Credential.

  6. If you want to add additional domain controllers, repeat the previous steps. Add a domain entry for each domain your query will need file, user, or parent information for.

  7. Select one entry to be the Active Domain. This is the domain that is hosting the share, folder, or file you are finding permissions for.

  8. Click OK.

Using Permissions Analyzer

  1. Type the user name or account name of the group or user you want to view in the Group or User field.

  2. Click the search button to the right of the Group or User field. This allows you to verify the account exists before performing the analysis.

  3. Click Browse, navigate to the file or folder you want to view permissions for, and then click OK.

  4. Click Analyze.

Accessing Share Permissions

To analyze Share Permissions, the tool needs to read the selected target machine's registry. This functionality is provided by Remote Registry Service on the target machine. If the service is not running, the tool will not be able to read the machine's registry and will not show Share Permissions.

To enable Remote Registry Service on a target machine:

  1. Click Start > Run, type services.msc, and then press Enter.

    Microsoft Management Console starts with the Services snap-in open.

  2. In the console pane, right-click Remote Registry and click Start.