Scanning the NTFS file systems and Active Directory
Permission Analyzer has two key functionalities: network scanning and overview creation. During the scanning process, all necessary information is stored in the corresponding local database. A major advantage of this feature, firstly, is that the network need not be overloaded with each overview that is run. Secondly, any overview results are available within a matter of seconds. The database contains the Access Control List of each folder (or file), group and user data from the LDAP, such as usernames, and data on (nested) group relations. In addition, Permission Analyzer supports a series of external databases, allowing data to be centralized and shared between multiple workstations. Please see the page on External Database.
Configuring LDAP connections
Permission Analyzer will automatically detect your domain and Active Directory connection and will ask for a username and password to read information from the AD. Open the application preferences to add more LDAP connections, such as various domain controllers or a global catalog. Permission Analyzer supports multiple authentication protocols, such as (bind) username and password, Digest-MD5, Cram-MD5 or Kerberos. In addition, users can choose between plain, SSL/TLS or STARTTLS security protocols.
The default connection will use a bind user to read information from the Active Directory. The application asks for a username and password during the scan, which can be saved encrypted in the application preferences. See Data protection for more details about securing the data and preferences.
Adding directories and LDAP OUs
Open Scan View via the menu and determine which directories and LDAP Organizational Units (OU) need to be scanned by Permission Analyzer. LDAP OUs are used to supplement user data from the ACL with a username and nested group information for the relevant member. Directories can be limited by setting up a depth limit for the number of subdirectories, file scanning and scanning of local groups on the server of the directory. LDAP OUs can also be configured with a depth limit as well as selected scanning of users and/or groups. Permission Analyzer will at all times ensure that a comprehensive overview of nested group data is available by assessing the member and memberOf attributes of each user or group. As such, the scan may expand beyond the selected OU.
Note: because a universal group can have members from domains other than the domain where the group object is stored and can be used to provide access to resources in any domain, only a global catalog server is guaranteed to have all universal group memberships that are required for authentication. On the other hand, the global catalog stores the membership (the member attribute) of only universal groups. The membership of other groups can be ascertained at the domain level. Therefore, if applicable, make sure you add both the domain controllers as your global catalogue to ensure a complete overview of group memberships. Permission Analyzer will make sure that no duplicate memberships are stored.