Quick Start
6 minute read
Introduction
DocusnapSports GmbH, a growing company in the field of digital sports data analytics, operates several file servers to store sensitive team, performance, and contract data. Following an internal audit, it was decided to review the permission structure of all file shares, focusing on:
- Which users or groups have explicitly assigned permissions?
- Are there orphaned SIDs, disabled accounts, or overprivileged groups?
- Do employees have access to data they don’t need?
To address these questions, the NTFS Analysis in Docusnap365 is used.
Objective
This quick start guide covers the following core analyses:
- Inventorying NTFS permissions on one or more file servers via the Docusnap Enterprise Gateway
- Evaluating explicitly assigned permissions to identify potential exceptions or special rights
- Detailed analysis of individual folders, focusing on share, inherited, and explicit NTFS permissions
- Calculating effective permissions for a specific user (principal), including group inheritance and share rules
- Filtering analysis results to show only folders a user actually has access to
- Deriving concrete actions for audits, permission cleanup, or GDPR requests based on the analyzed data
Step 1: Start NTFS Inventory
An interactive job is created under Inventory > Analysis Jobs. Connection to the target system is established via the Docusnap Enterprise Gateway.
Note on permission structure:
Different areas of NTFS inventory require different permissions:
Share detection & local system data
→ Requires administrative rights on the target system (e.g., local admin or domain account)Active Directory (users, groups, SIDs)
→ Requires read access in AD (e.g., default domain user rights)NTFS permissions (ACLs on folders and files)
→ Requires read access to the file system structure – typically through membership in “Backup Operators” or equivalent read/security rights
The following information is required for the quick start:
- IP address or server name
- Domain
- Username
- Password
- Shares (comma-separated, e.g.,
Finance$,HR$,Projects)
After entering the data, the job can be started immediately or scheduled for later.
Placeholder Screenshot: Create Job
Step 2: View Analysis Results
Once completed, the job appears under Analysis > NTFS Analysis. This view lists all previously performed NTFS analyses — including domain, shares analyzed, timestamp, and organization.
Clicking an entry opens the analysis view, where you can filter by folder, user, and security context and carry out deeper evaluations.
Placeholder Screenshot: Analysis Overview After Inventory
Step 3: Quick Analysis – Explicit Permissions
Using the “Explicit Permissions” quick analysis, you can identify directories where direct (non-inherited) permissions have been assigned. These are often exceptions to standard models — and a common gateway for security vulnerabilities, shadow permissions, or permission sprawl.
Such permissions often arise from manual exceptions, e.g., helpdesk, project teams, or department needs — usually without follow-up cleanup.
The analysis provides a tabular view of all explicitly set rights — regardless of whether they were deliberately or accidentally assigned.
Each row shows:
- the UNC path to the folder
- the security principal (user or group) the right was granted to
- the type (e.g., domain user)
- the account status (active/inactive)
- the origin of the principal (domain)
You can filter the view by username, path, status, or type — e.g., to show only active domain users with rights to “HR” directories.
Placeholder Screenshot: Quick Analysis Explicit Permissions
Step 4: Folder Detail View
A folder containing sensitive financial data is opened. The detail view shows:
- Which rights come from the share
- Which permissions were inherited
- Which were explicitly assigned
To access this view, expand the share tree on the left and select the desired folder. The right pane shows the permission matrix, detailing all assigned rights.
Matrix sections:
- Share Permissions – rights at the
\\server\sharelevel - Inherited NTFS Permissions – inherited from parent folders
- Explicit NTFS Permissions – directly assigned on this folder
Rights are grouped by:
- Basic permissions (e.g., Read, Modify, Full Control)
- Advanced permissions (e.g., Delete, Write Attributes)
- Inheritance context (e.g., This folder only, This and subfolders)
Meaning of Symbols
| Symbol | Meaning |
|---|---|
| ✅ Green | Permission is explicitly granted |
| ❌ Red | Permission is explicitly denied |
| 🟠 Orange | Right applies only to subfolders, not the selected folder |
Orange is a special case: it means a right is defined but only applies to the folder’s substructure, not to the selected folder itself.
Denied rights (red) override granted rights — regardless of inheritance or group membership.
This structured view prepares for the next step: calculating effective permissions, merging share, inherited, and explicit rights.
Placeholder Screenshot: Folder Rights Matrix
Step 5: Analyze Effective Permissions of a User
A staff member is added via “Add Principal” to check access to sensitive HR data. Docusnap365 shows the user’s effective rights — those resulting from the combined paths, group memberships, and inheritance layers.
Permission Hierarchy
Effective permissions are calculated from a cascaded structure:
Share Permissions
Control basic access to the share. Act as a limiter — they can’t grant more than allowed.Inherited NTFS Permissions
Apply to subfolders unless inheritance is broken. Often result from group permissions at higher levels.Explicit NTFS Permissions
Assigned directly and can override or supplement inherited rights.Group Memberships
A user may belong to multiple groups — directly or through nested groups. Docusnap365 resolves these automatically.
By evaluating all layers — including indirect group links — a clear picture of the user’s effective access is generated.
The familiar matrix view displays green check marks for active rights. At a glance, you can see if the user has too many, too few, or the correct rights.
Placeholder Screenshot: User’s Effective Permissions
Step 6: Working with Filters
To refine the analysis, Docusnap365 includes a powerful filter function. It limits the view to relevant folders and results — especially for analyzing a specific user’s effective permissions.
Filtering by Principal
After selecting a user via “Add Principal”, a filter can be activated on the left pane. It ensures that only folders where the user has effective permissions are displayed in the share tree.
This narrows the display to:
- Only relevant directories
- Clear view of critical areas
- Significant noise reduction in large environments
Example: User “a.dunn”
Here, user a.dunn is added. After activating the filter, only folders where a.dunn has rights are displayed — e.g., \\DOSPFS06\HR.
In the matrix, a.dunn has read rights and some extended permissions — but no modify or delete rights.
Benefit: Admins instantly see where the user has access — without navigating irrelevant structures.
This step is crucial when preparing for audits, permission cleanup, or GDPR requests, as it enables precise, per-user documentation — free of clutter.
Placeholder Screenshot: Filter Active for User “a.dunn”
Result
In just a short time, DocusnapSports GmbH was able to:
- Identify security risks from exceptional permissions
- Detect orphaned or inactive accounts with access
- Trace who can actually access sensitive folders
- Build a foundation for structured permission cleanup
The analysis results form the basis for targeted cleanup steps — such as removing orphaned or excessive rights and enforcing the least privilege principle within a consistent IT security strategy.
NTFS analysis in Docusnap365 enables well-founded, traceable support for recurring audits, GDPR requests, or migration projects.