NTFS Permissions Auditor - Online Manual

Online Manual

Authentication & Credentials

By default, NTFS Permissions Auditor runs under the security context of the logged-in Windows user. All share access, permission reading, and Active Directory lookups use the current user’s credentials.

For many environments, this is sufficient — if you’re a domain admin or have been granted read access to the target file servers and Active Directory, no additional configuration is needed.

However, there are scenarios where you need to use different credentials:

  • Cross-domain audits — Auditing shares on a server in a different domain where your current account doesn’t have access
  • Non-domain workstations — Running the tool from a machine that isn’t joined to the domain containing the file servers
  • Least-privilege accounts — Using a dedicated service account with read-only access instead of your personal admin account
  • Testing access — Verifying what a specific user account can see

Enabling Alternative Credentials

  1. Open your profile for editing
  2. Go to the Authentication tab
  3. Check Use alternative credentials for network shares and AD
  4. Enter the Username — this should be in DOMAIN\username or username@domain.com format for domain accounts
  5. Enter the Password

When alternative credentials are enabled, the application uses them for:

  • Connecting to network shares (SMB/CIFS file access)
  • Querying Active Directory to resolve SIDs, expand group memberships, and retrieve account details (display name, department, manager, etc.)

How Credentials Are Stored

Credentials are stored securely using the Windows Credential Manager — the same system that Windows itself uses to store network passwords, VPN credentials, and other saved logins.

Each profile’s credentials are stored as a separate entry in Credential Manager, identified by the profile’s internal ID. The password is encrypted by Windows and is only accessible to the user account that created it.

When you disable alternative credentials on a profile (by unchecking the option), the stored credentials are removed from Credential Manager.

Note: Because credentials are stored in Windows Credential Manager, they are tied to the Windows user account that created them. If a different user logs into the same machine, they will not have access to the stored credentials.

When You Don’t Need Alternative Credentials

You can skip this configuration if:

  • You are logged in with a domain account that has read access to the target file servers
  • The file servers are in the same domain (or a trusted domain) as your workstation
  • Active Directory is accessible from your current user context
  • You are auditing local folders only

Troubleshooting Credential Issues

If the audit fails with “Access denied” errors after configuring alternative credentials:

  • Verify the username format — use DOMAIN\username for NetBIOS format or username@domain.com for UPN format
  • Confirm the account has at least read access to the target shares
  • Check that the account is not locked out or expired
  • For cross-domain scenarios, verify that the appropriate domain trust relationships exist
  • Try accessing the target share from Windows Explorer using the same credentials to isolate whether the issue is with the credentials or with the tool

Use of this site constitutes acceptance of our Privacy Policy and EULA. Copyright © Albus Bit SIA