NTFS Security Manager – NTFS Folder Permissions FAQs

  1. What permissions or privileges are required to Manage NTFS permissions?

    To manage the NTFS Permissions, the currently logged on user or the User Credentials specified must be an:

    • Owner of a Folder/File having permissions to read and modify permissions on the folder/file.
    • Account which has the ‘Allow’ type “Full Control” or “Change Permissions” and “Read Permissions” NTFS Permission granted either explicitly, or inherited from the parent to a Folder/File.
  2. What user credentials does NTFS Security Manager use to connect to a domain/server?

    By default, NTFS Security Manager uses the currently logged on user context to connect to a domain/server. If NTFS Security Manager determines, that the currently logged on user does not have sufficient permissions on the specified server, an ‘Enter Network Password’ dialog appears allowing the user to enter the User Credentials to connect to the server. The NTFS Security Manager then establishes a session with the destination domain/server, using the user credentials specified.

    If ‘Use Active Directory Services’ is selected as Computer Enumeration option, then you can specify alternate domain credential (having domain administrator privileges) for managing all computers in each domain. In this case, NTFS Security Manager establishes a session with the destination domain/server of the specified domain, using the specified user credential.

  3. What permissions or privileges are required to read data from a Windows server on the network?

    To read data from a Windows Server on the network, the currently logged on user or the User Credentials specified must:

    • Be a Valid domain user to view basic information.
    • Be a member in the Administrators group of the target server to view shares and its permissions.
  4. What Services and Settings does NTFS Security Manager require on a local or remote computer to collect permissions data?

    “Enable NetBIOS over TCP/IP” option is enabled under the “Advanced” button in WINS tab of the TCP/IP property sheet.

  5. Unable to find certain servers in the list. Why?
    • The servers will be listed only if it is available under a particular domain.
    • Particular server might have been come back on after the NTFS Security Manager is started.
  6. I get the error message Could not find the domain controller for the domain.?
    • The domain controller for the particular domain that you have selected might have been switched off.
    • The domain that you have selected might have been removed from the domain controller, but still remains in the cache
  7. Why do I get the message Attempted to perform an unauthorized operation?

    When modifying the NTFS permissions of the share / while reading the NTFS permissions of the share, you can get the above stated message. The following may be one of the reasons for such a scenario:

    • The share’s inherited permissions broke from its parent object and the currently logged on Account does not have explicitly assigned permissions to access those shares.
    • The currently logged on user Account has Deny NTFS permissions to access that particular share.
  8. Why do I get the message The specified domain does not exist. Specify a valid domain name. while adding/editing/connecting to a domain?

    When the Computer Enumeration option is set to ‘Use Active Directory Services’, NTFS Security Manager queries Active Directory for enumerating servers present in a domain. During this process, NTFS Security Manager tries to connect to the Active Directory Server (Domain Controller) of the specified domain internally. If NTFS Security Manager is unable to find the domain controller for the selected domain, it will display the stated message. The following may be one of the reasons for such scenario:

    • The domain controller for the domain that you have selected might have been switched off.
    • The domain that you have selected might have been removed but still remains in cache.
  9. Why do I get the message The specified forest does not exist or cannot be contacted. in ‘Add domains from forest’ option?

    When the Computer Enumeration option is set to ‘Use Active Directory Services’, NTFS Security Manager queries Active Directory for enumerating domains present in a forest. During this process, NTFS Security Manager tries to connect to the Active Directory Server (Domain Controller) of the specified forest internally. If NTFS Security Manager is unable to find the domain controller for the selected forest, it will display the above stated message. The following may be one of the reasons for such a scenario:The domain controller for the forest that you have selected might have been switched off.

    The computer where NTFS Security Manager is installed is unable to resolve the specified DNS name of the forest.

  10. In What order permission changes are made by the Grant permissions tool?

    The Grant Permissions tool makes changes to permissions in the following order:

    • Consider the assignment rule (Add a new Account or Replace with the existing Account permissions).
    • Remove all the child objects’ explicit permissions.
    • Apply the Inheritance Rule (Allow or Copy or Remove inheritance).
  11. While revoking or modifying permissions, I still notice that certain old permissions exist. How do I overcome this?

    The Revoke and the Modify tools do not break the inheritance. This is the default behavior. They make changes to only the explicit permissions. If you notice the old permissions, it could be because of inherited permissions from the parent. If you need to have these removed, you may use the Grant or the Modifier tool to block inheritance from the Parent.

  12. How do the options Copy and Remove permissions work when Inheritance from parent is blocked/removed?

    The Copy permissions option will remove the inherited permissions from the parent object and copy the inherited permissions as explicit permissions.

    The Remove permissions option will remove the inherited permissions from the parent object. After applying this option only the existing explicit permissions remain.

  13. While making permission changes to remote shares (shares on a remote computer), are there important points to be aware of?

    Here are some important points to consider while managing permissions:

    • In order to modify permissions on a Share, ensure that the account accessing the share has ˜Allow” ‘Read’ share permission on the Share. Otherwise the user account using the software cannot access the Share.
    • Only two categories of Accounts can make changes to permissions the owner of the Share (having permissions to read/modify/delete permissions) and Accounts that have ‘Allow’ ˜Full control” or ˜Change permissions” and ‘Read permissions’ NTFS permissions on the Share.
  14. While using the tool, what are the important precautions to be taken?

    NTFS Security Manager can be used to change NTFS permissions across Shares, Folders and Files. You have to absolutely ensure that only responsible persons within your organization use this software. The users using this software must have sufficient knowledge about tinkering with NTFS permissions on your file servers and workstations. The software must be used carefully and the end user must know what he is intending to accomplish using the features of the tool.

    CAUTION: Wrong or inadvertent use of the software Wrong or inadvertent use of the software will compromise the security of your file system and may make the shares and folders either inaccessible or open them up for unauthorized access.

    • When you remove NTFS permissions entries in bulk, be careful about removing all explicitly assigned permissions from an object and blocking inheritance from its parent object by doing a “Remove” of the inherited permissions, both at the same time. This will make the shared folder inaccessible to all accounts, including the currently logged on account that is using the product, except for the owner.
  15. I am unable to see folders within a remote share while using the application, even though the remote share has permissions for the account running the application.

    For Win7 and Windows 2008 R2, blocking inheritance on descendent objects of a remote share and when no explicit permissions have been granted for the account using the application on the descendent objects, would make the descendent objects root share. If you wish to view these folders, then login to the remote computer and allow inherited permissions from the share to the descendent objects or assign explicit permissions on the descendent objects for the application account.

  16. Does the software take ownership and make changes to permissions in any of its features?

    NO. The software is designed to not take ownership of folders and files. The owner of the object will continue to retain their ownership with all the existing owner permissions after the permission changes are effected using the software. So, no matter what changes are made to permissions using the application, the existing owner permissions are retained on the shared folders.

  17. What are all the error messages that one is likely to see when making changes to permissions?

    Unable to remove the Account or selected ACL entry: You may get this error message when the selected account has other inherited permissions from the parent object or the selected account is an invalid account.

    Unable to add an account: You may get this error message when the application is unable to resolve the account SID. This may happen if the selected account is an “Unknown account” or if the account is from another domain.

  18. What privileges and permissions are required to perform Apply or Revoke CAP task?

    To run the Apply or Revoke CAP task, the currently logged on user account should satisfy the following conditions:

    • It must be the built-in administrator account or must be member of Domain Admins group of the selected share’s domain.
    • It must have “Allow” access type for “Read & Execute” access control entry on the selected share(s)/folder(s).
    • It must be a domain account and must connect to the share from a domain-authenticated session to view Central Access Policy information.
  19. Why do I get the Unable to collect available central access policies message while clicking ‘Change’ button to enumerate available central access policies from domain?

    This may happen if any one of the following conditions is true:

    • The selected share’s domain does not have at least one Windows Server 2012 domain controller.
    • The currently logged on user is not the Built-in Administrator account or not a member of the Domain Admins group of the selected share’s domain.
Hello Budy! plugin is activated, now you need to set option from Settings -> Sticky Header/Footer menu
WordPress Video Lightbox Plugin