← Back to ProDirt Blog
March 30, 2026 Dev

NTFS Permission Reporter: Stop Guessing Who Has Access to What

We built a free Windows tool that scans any local or UNC path and generates an interactive permission report — because "everyone has Full Control on the root share" is not an audit.

If you manage file servers for even a handful of clients, you know the scene. Somebody leaves the company, or there's a compliance audit, or a client asks "who can access the payroll folder?" — and suddenly you're pulling up ADUC, running icacls, and manually building a picture of something that should have been documented two years ago. It's tedious, error-prone, and produces output nobody can actually read.

We built NTFS Permission Reporter to fix that. It's a free Windows desktop app that scans any folder path — local or UNC — and generates an interactive HTML report of every permission entry on every folder in the tree. No PowerShell, no CSV you have to manually format, no piecing it together. Just point it at a share, hit Scan, and get a report you can drop in a ticket or send to a client.

What It Actually Does

The app is built on .NET 8 — single EXE, no installer, no dependencies to manage. Drop it on a flash drive and run it anywhere. The core scanner is multithreaded and parallelizes aggressively against network shares — it auto-detects UNC paths and bumps thread count accordingly, so a scan of a deep share tree that would take minutes with Get-Acl in a loop finishes in seconds.

Analyze tab

Type in a path (or browse for it), set a depth limit if you don't want to go all the way down, and hit Scan. The results come back as an expandable folder tree in the left pane — each folder shows a permission count badge and a warning indicator for broken inheritance. Click any folder and its full ACL shows in the right pane: identity, rights decoded to human-readable strings (not the raw integer flags), explicit vs. inherited status, and inheritance flags.

The broken inheritance filter is one of the most useful features in practice. One click shows you every folder in the tree where inheritance has been disabled and permissions are set explicitly. Those are almost always either intentional security boundaries or someone's well-meaning mistake from years ago that never got cleaned up.

Compare tab

Enter two paths and the app scans both, then presents them side by side in synchronized tree views. Folders are color-coded: same permissions, changed permissions, left path only, right path only. Clicking a folder in either tree syncs the selection in the other. This was built specifically for migration audits — scan the old server and the new server, and you can immediately see every folder where the ACLs didn't transfer cleanly.

ℹ️ Common migration gotcha: Robocopy and other migration tools will copy NTFS permissions correctly on most folders, but can silently drop or alter ACEs on folders where inheritance is broken. The Compare mode will surface these immediately — they show up as "Changed" even though the folder content transferred fine.

The Reports

Both the single-path and comparison reports export to interactive HTML — one self-contained file you can open in any browser, share via email, or drop in a client-facing ticket. The HTML report embeds the full permission data as JSON and renders it client-side, so it works completely offline with no external dependencies.

Features inside the report: expandable/collapsible tree, search by path or identity, expand-to-level buttons (Level 1 / 2 / 3 for quick orientation on large trees), broken inheritance filter, and an in-browser CSV export button. Everything you need to document, share, or analyze without needing the app running.

There's also a direct CSV export if you need the raw data in Excel for a client report or compliance documentation.

Why We Built It

The honest answer is we got tired of the alternative. For a one-off check you can do icacls \\server\share /t > output.txt and grep through it. That works for a folder or two. It doesn't work when a client asks for a documented permission audit across 40,000 folders before a SOC 2 review. We needed something that could produce a deliverable, not a wall of text.

PowerShell's Get-Acl is the other obvious option, but even a tight script is slow against large shares, and the output still needs post-processing to be presentable. The tool handles all of that — the report is the deliverable.

NTFS Permission Reporter is available now on Gumroad — free download, no account required.

Purchase on Gumroad →

What's Next

A few things on the roadmap: scheduled scans that can email a report on a recurring basis (useful for compliance monitoring), a diff-from-baseline feature so you can detect permission changes over time, and a batch mode for scanning multiple shares in one pass. If there's something specific you need, the contact link is in the footer.

← All Posts ProDirt Apps →