Q: I need a good way to analyze file server permissions. I’ve just taken over from the previous administrator, and the file server’s permissions need to be reworked. However, before I start, I need to be able to analyze permissions on multilevel folder hierarchies without manually searching each one. In particular, I need to know which subfolders and files (at any level) have non-inherited permissions specifically defined.
A: You're right—it's difficult to identify which objects below a certain folder have specific non-inherited permissions as opposed to inherited parent permissions. Although the ability to define new permissions at any level of the folder hierarchy makes for good flexibility, it also increases the complexity and risk of inappropriate permissions because any subfolder or file can have permissions that override the parent and possibly make the child object more or less accessible to various users and groups. The problem is exacerbated by the fact that there's no way to identify such objects when you're using the standard Windows interface without looking at each object’s permissions manually.
Thankfully, there's a cool tool called AccessEnum available from Microsoft (formerly available from Sysinternals) that identifies such objects for you. AccessEnum compares a folder’s permissions to each of its child objects' permissions and shows you only the child objects whose permissions are less restrictive than their parent's. You can download AccessEnum for free from www.microsoft.com/technet/sysinternals/Security/AccessEnum.mspx. After you open AccessEnum (there's no installation or setup required), the program lets you enter a folder and click Scan. If you want to see all child objects whose permissions differ in any way from the parent's, click Options, File Display Options and select Display files with permissions that differ from parent. Note that AccessEnum analyzes only Read, Write, and Delete permissions.