Vyapin Blogs

We have released a new security audit solution called NTFS Security Auditor to manage NTFS permissions / security in the Windows network.

Vyapin’s NTFS Security Auditor audits the NTFS security across your Windows network. It gives a complete inventory report of all the users and their permissions to the Files/Folders/Shares. You can track unauthorized access to important files and folders, thereby protecting intellectual property and maintaining confidentiality across your network environment.

NTFS Security Auditor is a simple audit application targeted at System Administrators, IT infrastructure managers and System Audit personnel to assist in network security scrutiny. The powerful built-in reports help in both management reporting and IT Audit & Compliance reporting such as SOX and HIPAA.

Features at a Glance

	Multiple domain NTFS permissions reporting with multiple dimensions – reports folders/files access using users/groups dimensions and users/groups with permission dimensions.
	Analyze inadvertent user access.
	Report on explicit user/group permissions.
	Summarize shares on individual workstations for the entire domain.
	Search on user/group permissions on selective files/folders using conditions
	Scan specific accounts and computers in the domains
	Export audit reports to MS-Access/HTML/XLS/PDF/TIFF/CSV format

Download 15-day trial version from the product home page

Vyapin’s Audit solution for Active Directory helps you to take complete control over your auditing and reporting needs for your entire Active Directory. Vyapin’s solution lets you audit not only your entire AD configuration but also audit all the changes that occur over a period of time in your AD.

Vyapin provides two product solutions for your AD audit – Admin Report Kit for Active Directory (ARKAD) and Active Directory Change Tracker (ADChangeTracker). 

The ARKAD product generates a variety of reports that help you understand how your AD has been configured, document everything that resides in your AD and review and analyze all the security controls that have been implemented. The ADChangeTracker product helps you to document and analyze all critical changes made to your AD by reporting what exactly changed, along with the new and old values, when the change was made, where the change happened in your Active Directory and the tool also determines who made the change by looking up the Security Event logs of your audit-enabled Active Directory.

The two solutions work together to provide you one single comprehensive solution to address all the reporting needs of AD Administration, Change Management and Compliance. Having both the products in your tool chest will eliminate the need for creating your own custom scripts and using small freeware scripts and tools that have very limited purpose. 

The ARKAD solution helps you to

• Perform a complete AD Security Audit - Who has access to what in your Active Directory
• Audit and Track AD Users and Groups information – how users and groups have provisioned and organized, including complex nested groups and multi-group memberships.
• Identify and report on all control related aspects of User account management – Password Expiry, Password setting, Last logon etc. 
• Take complete control of OU management – report on OUs, Delegation of administration, Group policies etc.

The ADChangeTracker solution helps you to

• Track and audit all changes made to Active Directory, across your enterprise. Track changes to critical OUs and containers. Track GPOs for changes.
• Track changes with or without using Active Directory’s native auditing capabilities.
• Track all critical changes by consolidating Active Directory audit events from all your domain controllers’ security event logs.
• Store several years of Change data in a SQL database for security, compliance and regulation purposes.
• Search your entire Change History using powerful Search criteria – search for additions, deletions and modifications on specific users, groups, OUs, object property values etc.

Microsoft Exchange Administrators need to constantly monitor various objects in Exchange, especially when granting permissions for mailboxes and public folders. Managing permission levels can be quite challenging as certain permissions are explicitly defined, while others are inherited by virtue of membership (‘who has access to what and how?’). 

Exchange Admins constantly face the challenge of granting or revoking permissions to various Exchange objects and retrieve them for Internal Audit and IT Compliance purposes.

The following tasks require periodic attention when managing an Exchange environment (to name a few):

Admin Report Kit for Exchange Server (ARKES) reports critical configuration information of various objects associated with the Exchange Server as several insightful reports. The following are some of built-in reports, which are useful for Exchange Administrators and IT Managers in managing the Exchange environment.

1. Mailbox Rights Report:

Mailbox Rights report provides information about the mailboxes and the rights that are associated with it. The final report displays mailbox related information with the rights granted and their access type (Allow or deny).

Report fields: Owner, Name, Type, Permissions, Display Name, Alias Name, Fully qualified domain name of object, First name and Last name.

You can group the report by Permissions field to enumerate the users with specific permissions corresponding to the mailboxes.

2. Mailbox Permissions Report:

Mailbox Permissions report gives information about the permissions associated with the mailbox.

Report Fields: First name, Last name, Owner, Name, Type, Permissions, Display Name, Alias Name, and FQDN of the object.

To know who has maximum permissions corresponding to a mailbox, the above report can be grouped by the
Permissions field. 

To know who is owner of a mailbox, the above report can be grouped by the Owner field.

3. Mailbox default folder security:

Mailbox default folder security report gives the security settings defined on the various folders such as the Inbox, Sent Items etc. corresponding to the mailbox. The folders are listed against their corresponding permissions level for each mailbox. 

Report Fields: Display Name, Alias Name, Fully qualified domain name of object, First name, Last name, Folder Name, Account Name, and Permission Level.

The above report when grouped by Permission Level would provide the Permission level of users for various folders within a mailbox.

4. Mailbox Size Report:

Mailbox Size Report provides the Mailbox size settings and other relevant details about the mailbox usage.

Report Fields: Home Server, Mailbox Store, Storage Limits Settings, Issue warning at (KB), Prohibit send at (KB), Prohibit send and receive at (KB), Mailbox, Windows NT Account, Total K, Total no of Items, Last Logon Time, Last Logoff Time, Deleted Items K, Full Mailbox Directory Name, Total no of Associated Messages, Display Name, Alias Name, Fully qualified domain name of object, First name and Last name.

To sort the Mailboxes by their Size, the above report can be grouped by ‘Total K’. 

The above report when grouped by Total K would provide the top mailboxes which occupy large size in the Exchange Server.

5. Mailbox First Activity and Last Activity Report:

Mailbox Activity Report displays the dates of First activity and Last (recent) activity performed by the mailbox user. 

Report Fields: Deleted Items activity date, Deleted Items message count, Deleted Items size (KB), Inbox activity date, Inbox message count, Inbox size (KB), Sent Items activity date, Sent Items message count, Sent Items size (KB), Display Name, Alias Name and Fully qualified domain name of object.

6. Mail Users Permissions report:

Mail Users Permissions report retrieves permissions associated with the mail user and its access type (Allow or Deny).

Report Fields: Display Name, Alias Name, Fully qualified domain name of object, First name, Last name, Owner, Name, Type, and Permissions.

The above report when grouped by Permissions field would give the list of users with full permissions and users with limited permissions.

7. Mail User membership reports:

Mail User membership report gives information about the groups that they are a part of. The Primary group name and their group mail ID along with the number of membership groups (groups which the user is a member of) are reported here.

Report Fields: First name, Last name, Number of Membership groups, Member Of, Member of E-mail, Primary group name, Primary group E-mail, Display Name, Alias Name and Fully qualified domain name of object.

Group the above report by Member Of to view group-wise information about the membership details of mail users.

8. Distribution Group-Members report:

Distribution Group-Members report enumerates the Distribution Groups and the corresponding details of individual members in the group. The number of individual members under the specific distribution group and their corresponding mail IDs are reported here.

Report Fields: Display Name, Alias Name, Fully Qualified domain name of object, Number of Members, Members and Member E-mail.

The above report when grouped by Members field would give the membership details of individual users in various distribution groups.

9. Distribution Group-Membership report:

Distribution Group Membership report gives membership details of the specific distribution group. Membership details pertains to the details of groups that the specific distribution group is a part of. The number of members, their respective names and e-mail ID are some additional fields in this report.

Report Fields: Display Name, Alias Name, Fully Qualified domain name of the object, Number of Members, Members and Member E-mail.

10. Distribution Group-Permissions report:

Distribution Group Permissions report displays the permissions associated and their access type (Allow or Deny) corresponding to the individual users and groups. 

Report Fields: Display Name, Alias Name, Fully Qualified domain name of object, Owner, Name, Type, and Permissions.

The report when grouped by ‘Permissions’ would present the above information permission wise and allows the user to find users and groups with full-fledged permissions.

11. Public Folder Membership report:

Public Folder Membership report displays the membership details of the Public Folders. 

Report Fields: Display Name, Alias Name, Fully qualified domain name of object, Number of Membership groups, Member Of, Primary group name, and Member Of E-mail.

12. Public Folder Permissions report:

Public Folder Permissions report enumerates the users and groups associated with the Public folder and their corresponding permissions. The type of permissions (Allow or deny) is also reported. This report would help IT administrators to track the maximum permissions allotted to an individual user or group against the specific public folder.

Report Fields: Display Name, Alias Name, Fully qualified domain name of object, Owner, Name, Type, and Permissions.

13. Public Folder-Client Permissions:

Public Folder Client Permissions report provides information about the Client Permissions associated with the Public folders. The Mailbox store, Public Folder Tree and the corresponding Home Server are some of the critical information reported here. The scope of the information reported can range from Specific public folders to all public folders under a specific container.

Report Fields: Display Name, Alias Name, Fully qualified domain name of object, Home Server, Mailbox Store, E-mail, Public Folder Tree, Path, Address List Name, Public Folder Description, Folder Path, and Client Permissions.

14. List of Distribution Groups/Public folders that use disabled mailboxes in their security:

Disabled mailboxes which continue to be a part of the security settings corresponding to Distribution Groups and Public Folders are displayed in this report. Mailboxes that are disabled owing to various reasons are identified and removed keeping in mind the optimum resource utilization.

Report Fields: Object Path, Object Name, Display Name, Alias Name, Fully qualified domain name of object, Owner Name, and Type Permissions.

15. Storage Groups Security Report:

Storage Groups Security report gives information about the security settings corresponding to the Storage groups. The scope of the report can be widened to include new objects i.e. administrative groups, servers, storage groups based on the users’ discretion. What if the user does not have access to the storage group? The user can still connect to the storage group and access the required information by switching to a different set of credentials. The user can also set password for the report to prevent unauthorized access and can still save the settings for repeated access. 

Report Fields: Owner, Name, Type and Permissions.

A quick walk-through of ARKES

Report Scope

ARKES allows the users to define the scope of each report and makes it possible for the users to retrieve enterprise strength data or pull out precise information about an entity. The scope of reporting can be fine-tuned based on the intended usage scenario of the solution. Deciding on the appropriate report scope would save time involved in processing large amount of Exchange data. 

Figure 1: Search Scope

Figure 1 shows the ‘Search Scope’ where the scope of the report generated can be restricted to include specific mailbox or can be widened to include all mailboxes within a specific container. The provision to include all containers throughout the organization or to choose specific containers also exists.

Custom Report View

ARKES allows users to specify the report fields and the Group by field to use when displaying the report. The customized report view can be stored as a template for future use.

Figure 2: New Report View

Figure 2 shows the available fields and the report fields that are selected for viewing. The users are empowered by ARKES’ inherent ability to customize reports and provide actionable information about Exchange infrastructure.

An Example

Let us assume that the Exchange Admin wants to enumerate the rights associated with a specific mailbox, say, David S. Robinson and the permissions granted to him in the public folders across the organization.

To list the users and groups who have rights with respect to David S. Robinson’s mailbox, the Exchange administrator can use the
Mailbox Rights Report and select the corresponding mailbox of David S.Robinson from the Recipient Picker dialog as shown in the screenshot below.

Figure 3: Recipient Picker dialog

Figure 4: Screenshot of Mailbox Rights Report

Figure 4 displays the Mailbox Rights associated with David Robinson’s mailbox. The First and Last names, Owner of the mailbox are some of the relevant information reported. The ‘Name’ field displays the Name of the Individual users and Groups and their rights in the corresponding mailbox. Their permission levels and the access type (Allow or Deny) are also reported.

Let us see how ARKES displays the Permissions granted to David Robinson in various Public Folders. The Exchange administrator has to select
Public Folder Permissions report and has to select the specific public folders or choose from all public folders in specific containers. In this case, if the Exchange administrator wants to know the permission granted to David Robinson across all public folders (all containers in ‘Entire Organization’).

Figure 5: Screenshot of Public Folder Permissions Report

Figure 5 displays the Public Folder names and other relevant information corresponding to David Robinson as reported by the
Public Folder Permissions Report. The type of permission that David has on the listed public folders and the exact permissions granted are also reported.

For more information on ARKES, please refer our product home page.

Our much anticipated major release of Admin Report Kit for Windows Enterprise (ARKWE) version 7.4 is finally here with the following new features included,

• Provision to generate permission reports on user-defined lists by using the Scan Profiles of Users and Groups.
• Provision for alternative enumeration of servers in a domain using Active Directory Computer accounts(to avoid Browser Service dependency).
• Ability to search report data.
• Ability to e-mail generated reports.
• Support for x64 platform.
• New Permissions reports under Built-in Reports category
• Enhanced Scan options for all built-in reports using Scan Profiles
• Minor enhancements.

For further information on ARK for Windows Enterprise (ARKWE), visit our product home page at http://www.vyapin.com/products/windows-audit/windows-reports.htm

Background

NTFS permissions play a vital role in securing Operating system objects (Folders, Files, and Services etc). NTFS permissions works on the basis of what is called an Access Control Model. The Access Control Model contains of the following:

• Access token
• Security Descriptors

Access token: Contains information about the logged on user and their privileges.

Security descriptors: Every object in a system has a set of regulatory information attached to it, which controls information about gaining access to the object and its attributes. These sets of regulatory information are termed as Security Descriptors. Security descriptors are created along with creation of an object and act as the backbone of the NTFS security.

A Security Descriptor consists of the following components:

• Security identifier (SID) – a unique identifier (a unique value) that identifies whether the entry is a User or Group.

• Discretionary Access Control List (DACL) - contains the Users and Groups and Permissions (Allow or Deny) on the object. Each entry in DACL is called an Access Control Entry (ACE).

• SACL (System Access Control List) - contains the auditing details of attempts made to access the object.

Let us review the above concepts with a simple example. Imagine a “Folder” as a physical File folder cabinet with an electronic lock. The various electronic lock codes for accessing the file cabinet are Permissions, which control who gains access to the file cabinet and what they can do inside the file cabinet. Such information is maintained in DACL as ACE entries. You can also put an additional Security near the File cabinet, to maintain an information log (audit) about who are accessing the file cabinet (SACL). SID is like an electronic key code that unlocks the file cabinet.

NTFS working

Whenever a user logs into the system, the system creates a unique Access Token for the user. The Access token contains the information about the Security Identifier (SID) and the permissions held by the user. Whenever the user tries to access any object, a copy of the Access token is given to the thread executing the process. The object for which the user is requesting access contains the Security Descriptor. The object, on receiving request, compares User SID with the entries present in the Security Descriptors DACL entries. If a match is found while comparing items, applicable permissions are given to the user.

Let us review the working of NTFS permissions with a simple example.

Consider a user named Tom requesting Access to object as logon user.

On receiving the Access request, DACL checks the ACE entry for “Tom”. In this scenario Tom is given the permissions to “Read, Write, Delete” on the object.

Note: This Scenario is also applicable for users accessing “Shared Folders” across File Servers.

Types

Permissions are of two types

• Explicit permissions
• Inherited permissions

Explicit permissions: Permissions that are listed in ACL directly.

Inherited Permissions: Permissions that are granted by means of group membership; the user may not be listed in the ACL directly, as we know that ACL contains permissions for users and groups, but via group membership, users may be getting some permissions. For example consider an object with the following ACE entries

Note: User Gary is a member of Technical Leaders group.

For the above scenario, user Gary is getting the permission “Take Ownership” because of his membership in Technical Leaders, in addition to his existing permissions. These extra permissions are termed as Inherited Permissions. So while accessing the object, the resultant permissions that are applicable are:

Effective Permissions

Effective permissions are the resultant permissions a User or a Group has towards an object. Effective permissions are the combination of Explicit and Inherited Permission entries and the restrictive permissions apply while accessing object. The following shows the essential factors that need to be addressed while considering effective permissions:

Factors:

• Well known SID
• Local group membership
• Global group membership

Effective permission calculation involves both direct and indirect group membership. The user may be direct member of the group or may become an indirect member of the group by-means of nested groups. For example consider the following scenario

Even though User Gary is not a direct member of the Team Leaders group, by means of nested group Team Leader -> Team Auditing, Gary is somewhat of an “indirect” member of Team Leaders. That is, the permissions of Team Leaders are also applicable for user Gary along with the other permissions.

If the user is a member of more than one group, effective permissions are calculated by taking all the groups’ membership into account and the approximating them.

Effective permissions for groups do not involve group membership. It shows only the explicitly assigned permissions in the ACL.

How Admin Report Kit For Windows Enterprise (ARKWE) address effective permissions reporting?

ARKWE has the provision to report about Share folders and Files NTFS permissions in all dimensions.
It has the ability to report the permissions information about the Users and groups that may or may not present in the Share Folders across File servers and domains.

It has provision to Export/Print reports in various formats (HTML/CSV/MDB/PDF/TIFF/XLS) and also to schedule reports at required Time intervals without any user interaction.

ARKWE addresses the effective permissions reporting pain, by taking all the necessary factors such as Group membership, Well Known Sid etc into account. The following summarizes the advantages of ARKWE over the Windows Effective Permissions Tool.

Our much anticipated major release of Admin Report Kit for Active Directory (ARKAD) version 6.2 is finally here with the following new features included,

1. AD Summary Reports: ARKAD now comes up with the ability to report object-specific significant information in a powerful summarized view. AD Summary reports displays summarized vital information about Domains, Organizational Units, Computer Accounts and groups.
2. Quick Reports: Quick reports allow the users to restrict the scope of reports to include only specific entities within the domain and generate meaningful information faster. This saves the users from the time involved in scanning the entire domain to retrieve information about specific objects. This is especially useful for oft repeated administrative tasks.
3. ARKAD now allows the user to schedule reports by e-mail. The reports can be scheduled to later hours to reduce the operational load and can be automatically mailed across to the desired recipients.
4. Custom Queries: With ARKAD, it is now possible for users to create their own reports. Custom Queries feature within the Quick reports allow the user to create a custom report by defining logical queries and generating the reports within the ARKAD framework. A custom query can be used to extract information from various containers across the directory.
5. Additional user attributes such as Employee ID, Employee Number, Department Number, Division, Car License etc. can be now retrieved using ARKAD. This additional information better qualifies the users associated with the directory.
6. Computers’ last logon date and time: ARKAD retrieves the last logon date and time of a computer specific to domain controllers within a domain and reports the most recent value as the computer’s last logon date and time.
7. ARKAD now reports the list of nested groups and nested groups that form a loop. (Quick reports->List of nested groups that form a loop).

Admin Report Kit for Active Directory (ARKAD) with its above features could very well be indispensable for any Active Directory infrastructure.

For further information on ARKAD, visit our product home page at http://www.vyapin.com/products/active-directory-audit/active-directory-reports.htm

Forests are at the top of the Active Directory hierarchy. Forests comprise within themselves one or more domain trees (independent or interdependent) administered by a common schema. Usually a networking infrastructure contains in it a Forest at the top level. The objects within the Forests are controlled by the Forest Root Domain, created initially when the Active Directory is installed for the first time. With companies operating across geographies, the Active Directory has expanded rapidly resulting in the Forests’ topology becoming increasingly complex. To administer an Active Directory infrastructure with multiple forests spread across geographies is no easy task. Imagine the volume of data that would be generated or the number of individual entities that have to be looked at.

Admin Report Kit for Active Directory (ARKAD) has in it numerous out-of-the-box reports that present a bird’s eye view of the Active Directory topology at a Forest Level. Through these reports ARKAD allows administrators to generate reports across multiple domains and take stock of the entire forest.

Domain Reports at a Forest level gives information about the various properties of domains within a forest. The domain controllers within the respective domains and the trust relationships (trusting or trusted) prevailing between them are also reported. The administrator corresponding to each domain, their permissions and the security settings are some of the other significant information reported at a forest level. Auditing information corresponding to the changes made within the domain can be viewed under ‘Auditing’ report. The Group Policy report gives information about the group policies that are applicable to the corresponding domains. The ‘Delegated Permissions’ report gives an insight on the users with their delegated tasks within the domain.

Site Reports at a Forest level provides configuration settings corresponding to sites within a forest. The location of the sites and their created and modified dates are reported in the ‘Location’ and ‘Object’ reports respectively. The ‘Security’ and ‘Auditing’ reports give information about the permissions associated with the sites and their auditing information respectively. The Group Policy Objects linked to the corresponding sites is reported in the ‘Group Policy’ report. The ‘Delegated Permissions’ reports users with delegated tasks within the sites.

Forest Level Group Reports provide information about various group settings corresponding to groups within a forest. Information about the members within the groups and the membership details of groups themselves are reported in ‘Member’ and ‘Member Of’ reports corresponding to the Forest. The created date and modified date values and details of the administrators managing the groups are also displayed. The Permissions associated with the members of the group and the auditing information are other relevant information reported. The ‘Deleted Object’ report displays information on the groups recently deleted.

Forest Level User reports enumerate the Users and their account information associated with the domains within a forest. The User display names, address, account details, profile path, telephone numbers, organization and position related details are effectively reported. The users’ membership details are also reported. Created Date and Modified date field values are displayed. The Permissions granted, their type along with the auditing information is retrieved in the ‘Security’ and ‘Permissions’ reports. The Last logon date of the corresponding user account and other relevant information such as Password Last Set date, Password expiration date etc. are reported in the ‘Additional Account Info’ report. The Password Settings Objects policies (applicable to Windows 2008 Domain Controllers) defined for users within the forest and the precedence level of such policies can be viewed under ‘Effective PSO (Win 2008)’. The deleted user accounts within the forest are reported under ‘Deleted Objects’ report.

Contact reports are similar to the User reports and display information about the Contacts corresponding to the forest. The Contact information such as display names, address, telephone numbers, organization and position held are some of the relevant information reported. The Membership details of contacts are also reported. The Created Date and Modified date values are some of the other significant information reported in ‘Object’ report. The Permissions defined against the Contacts and the auditing information are displayed under ‘Security’ and ‘Auditing’ reports. The information about deleted contacts and their last known parent are reported in ‘Deleted Objects’ report.

Group Policy Objects reports display information about the various Grouped Policy Objects within the forest. The details of Group Policy Objects linked with various objects within the forest are reported under ‘Links’ report. The objects that are connected to various GPOs and the corresponding details are reported in the ‘SOM Links’ report. The Security settings corresponding to each object, auditing information associated and related comments are retrieved for the administrator through the ‘Security Filtering’, ‘Security’ and ‘Auditing’ reports. ‘Deleted Objects’ reports deleted Group Policy Object corresponding to the forest.

Consider an example where the administrator wishes to generate a report on Trust relationships across various domains within a forest. Generating this report manually would be a cumbersome process.

Lets see how ARKAD does this with considerable ease. The following screenshot shows the Trust Relationship across domains within a forest

ARKAD with its out-of-the-box forests reports addresses administrators’ reporting needs with considerable finesse.

For a 15-day free evaluation visit our product home page at <http://www.vyapin.com/products/active-directory-audit/active-directory-reports.htm

NTFS Permissions reports on Files, Folders and Shares using Admin Report Kit for Windows Enterprise.

There are several powerful features available in Admin Report Kit for Windows Enterprise to generate reports on NTFS permissions on files and folders residing in servers and workstations across multiple domains in the network. All reports may be scheduled and generated for multiple computers, users, and groups for multiple domains as a batch job.

The Permissions Reports section under the built-in reports feature (out-of-the-box reports) includes specific reports that report exclusively on reporting the access permissions assigned to users and groups on files, folders and shares. Our NTFS permissions reporting tool has several flavors of reports designed specifically for the administrator’s convenience. The following questions can be easily answered using these multi-dimensional reports:
1. Given a selected set of Users and Groups, which files and folders do they have access to across computers in a domain?
2. Given a selected set of files, folders and shares across computers, which users and groups have access to these?
3. Which users have inherited access permissions by virtue of their group membership (even though they may not have been granted explicit permissions)?
4. What permissions have been assigned to users both explicit and inherited through nested groups? One single report showing both.
5. What are the net effective permissions for users and groups on a set of folders?
6. How are nested groups affecting NTFS permissions on files and folders?

Here is a walkthrough of how to generate NTFS Permissions Reports using Admin Report Kit for Windows Enterprise (ARKWE):

Click on the Permissions Reports menu item under the Built-in Reports button in the toolbar.

The following NTFS Permissions Reports are available:

List of permissions for specific users and groups on folders
Reports the folder permissions assigned to specific users and/or groups on a selected set of folders.

List of permissions for folders
Reports the permissions associated with a selected set of folders.

List of permissions for specific users and groups on files
Reports the files permissions assigned to specific users and/or groups under a selected set of folders.

List of permissions for files
Reports the permissions associated with files under a selected set of folders.

List of all permissions for folders (Inherit & Explicit)
Reports the permissions for users assigned in the folders directly and inherited by means of nested groups.

List of effective permissions for users and groups on folders
Reports the effective permissions for users and groups for a set of folders.

List of effective permissions for users and groups on files
Reports the effective permissions for users and groups for files available in a set of folders.

Apart from the above out-of-the-box NTFS Permissions Reports, several standard customizable reports on various share and folder resources are available. These may be customized and scheduled as batch jobs for multiple computers and domains.

Please click on the following to download and evaluate the above features in Admin Report Kit for Windows Enterprise.
http://www.vyapin.com/products/windows-audit/windows-reports.htm

Consider the following scenario:

There are two domains in a forest with different namespaces namely SPACENET (SPACENET.local) and OtherDomain (OtherDomain.local). Let us assume that SPACENET is the domain that needs to access resources in OtherDomain. In order to allow domain users from SPACENET to access resources in the domain OtherDomain, we need to add SPACENET’s users as members in the ‘domain local group’ of
OtherDomain.

If any user from the SPACENET domain is a member of ‘domain local group’ of OtherDomain (within the same forest), then the ‘Member Of’ tab for that user will not show that he is a member of ‘domain local group’ of OtherDomain. So, if you would like to know the ‘member of’ details of a particular User in a domain, a comprehensive listing should show all groups the User is a member of, including those groups in other domains that the user is a member of. 

Please see following figures to understand this better.

Active Directory Users and Computers for

‘OtherDomain.local’

Active Directory Users and Computers for ‘SPACENET.local’

If an administrator wants the ‘Member of’ details for users for the entire forest, he needs to view each group’s ‘Members tab’ in the AD console to see whether the specified user is a member of this group. The administrator needs to repeat this step for all domains and all groups in those domains.
 
So, How does ARKAD help show Users ‘Member of’ details for all domains in a forest in a single report view?
 
With the help of Admin Report Kit for Active Directory (ARKAD) you can view the users ‘Member Of’ details for an entire forest. The following image depicts the report generated by ARKAD for the above scenario.

A user may be assigned to multiple groups in an Active Directory organization. A group member may have membership in other groups in the same domain (or) in a different domain within the same forest (or) in a different domain in a different forest.

An in-depth user/group membership report must include all the groups that a user is member of across the entire AD organization (and not just the groups within one domain).

In a multiple forest environment, When we add a member from one domain to a group in another domain (from a trusted domain outside of that forest) , Active Directory automatically creates a special object called a foreign security principal (FSP) in the CN=ForeignSecurityPrincipals container in the domain NC.

Active Directory creates a foreign security principal object in a forest when objects from its trusted external forest are assigned group membership and security for trusting the forest’s objects. The users and groups of the external forest are represented by foreign security principals in the trusting forest and is necessary for them to access domain resources that exist in that forest. When a trust is established between domains across forests, these foreign security principals can become members of ‘domain local groups’ in the source domain.

In order to generate a report on all user memberships, you need a tool that runs through all user memberships across domains and if there are multiple forests with FSPs, then the membership across forests will have to be generated. For example, a complete membership listing of a User A, who is present in multiple domains across multiple forests, will show all groups that User A is a member of (including Domain Local Groups).

Vyapin’s Admin Report Kit for Active Directory (ARKAD) generates such complex user/group membership reports.

How to view all security principals in all domains within a single forest in ARKAD? (A security principal can be a user, group, service, or Computer). The Forest Reports feature in ARKAD allows the user to generate reports across domains in a forest. (Select ‘Forest Reports…’ under New Report button in the tool bar. The Forest Reports window with the list of reports will be displayed; Select a report from the list of reports. Click Next to proceed to the next steps).