FileAudit offers reports that allow you to view the permissions of your files and folders, as well as attempts to change permissions and ownership:
This report shows all changes to NTFS permissions in an easy to read view that can be exported or scheduled. You can report on which user performed the permission change, when, to which file and folders, and the user or group affected by the change.
The report displays the permissions changes on files and folders in two tables: The Main view and Expended views. The main view shows each event for a permission change, and each event can be expanded to show a table of the details that were changed.
The main view displays the permissions changes with the following columns:
- Date and Time: When the change occurred
- Path: The file or folder where the permission change was made
- User: The user who made the changes on the concerned file/folder
- Principal: The user or group impacted by the permissions changes on the file/folder
- Change: Displays if the permissions for the user or group (Principal) have been added, removed, or modified
Other columns that can be added by right clicking on the black bar and selecting "column chooser":
- Client IP address
- Client name
- Object type
Filters can be applied to the main view.
The expanded view is available for each event and is accessible from the main view, by selecting the plus button on the left of the line to expand the desired file/folder to display change details.
This view displays the permissions changes with the following columns (each line represents one principal in the current deployed line of the main view):
- Principal: The user or group impacted by the permissions changes on the file/folder.
- Change: Displays if the permissions for the user or group (Principal) have been added, removed, or modified.
- Type: Indicates the access type, whether "Deny" or "Allow" If this value is crossed out, it means it has been removed. If it has been modified, there will be an arrow pointing to the new value.
- Inherited: Indicates if the permission is inherited from a parent.
- Applies to: Indicates the propagation of the permissions on subfolders and files. Displays "None" for files. If this value is crossed out, it means it has been removed. If it has been modified, there will be an arrow pointing to the new value.
- Old permissions: The permissions before the changes.
- New permissions: The permissions after the changes.
By default, the "Old permissions" and "New permissions" columns are displayed with Basic permissions. To display Advanced permissions, simply choose the "Advanced permissions" tab on the top of the detailed table. Conversely, select the "Basic permissions" tab to go back to Basic permissions view.
You can display an instantaneous view of permissions from a previously generated snapshot of your audited paths. You can generate and display a snapshot immediately or schedule one for a specific time.
In these condensed reports, you will see permissions for the root folder of every configured path. For child files or folders, permissions will be displayed only if the permissions are different from their parent.
This means that if a file or folder doesn’t appear in this report, its permissions are exactly the same as its parent.
Permission reports can be displayed in simple or in advanced mode as they are defined in the Windows File Explorer.
Display simple permissions of files and folders:
- Permission type (allow or deny)
- Full control
- Read and Execute
- List Folder Contents
- Special permissions
Display advanced permissions of files and folders:
- Permission type (allow or deny)
- Full control
- Traverse folder / execute file
- List folder / read data
- Read attributes
- Read extended attributes
- Create files / write data
- Create folders / append data
- Write attributes
- Write extended attributes
- Delete subfolders and files
- Read permissions
- Change permissions
- Take ownership
The simple and advanced permissions reports require the generation of snapshots. Click here for more information on how to generate snapshots.
- Path: You can display events on files and/or folders. Take note:
- The ‘Path(s)’ field of the ‘File Access Viewer’ supports ‘*’ (any string) and ‘?’ (any character) wild characters.
- If you enter a file/folder path not currently monitored, FileAudit will detect and propose that the audit configuration be set up via its wizard. Follow the different steps to configure the NTFS audit for this new path.
- Inherited: Indicates whether file/folder attribute is marked as Inherited from a parent folder. Display events for Yes, No or Both types of attributes.
- Permissions Type: Indicates file/folder whether attribute marked as Allow or Deny for the basic set of permissions. Display events for Yes, No or Both types of attributes.
- Owner: Select events based on the Owner of the File/Folder
Attempts to change permission or take ownership
These two reports are based on access events, not on snapshots like the previous 2 reports:
- Permission Change Report: A user attempted to change permissions on a file/folder.
- Ownership Change Report: A user attempted to take ownership of the file/folder.