The Exclude tab in the profile editor lets you narrow down what the audit scans. You can exclude directories by path or name, limit scan depth, and skip certain account types from the results. Exclusions reduce noise in your audit results and speed up scanning by skipping irrelevant content.
The left side of the Exclude tab handles directory-level exclusions.
Exclude system directories (enabled by default) — Skips folders that have the Windows “System” file attribute set. These are typically operating system folders that clutter audit results without providing useful security information.
Exclude reparse points (enabled by default) — Skips NTFS reparse points, which include symbolic links, junction points, and mounted volumes. Reparse points can cause the audit to follow links into unexpected locations or create infinite loops in recursive scans.
Limit global depth — When enabled, the audit stops descending into subfolders beyond the specified depth level. A depth of 0 means only the root directories themselves are scanned (no subfolders). A depth of 1 scans one level of subfolders, and so on.
This is useful for large directory trees where you only need top-level permission visibility, or when performance is a concern.
You can add individual directories to the exclusion list. There are three types of directory exclusions:
By exact path — Excludes a specific directory by its full path (e.g., \\fileserver\shared\temp). Only that exact folder is skipped; its siblings are still scanned. Use the Browse button to select the folder, or type the path directly.
By directory name — Excludes any folder whose name contains the specified text, regardless of where it appears in the directory tree. For example, excluding the name “temp” would skip folders named “temp”, “temporary”, “temp_files”, etc. at any level. The match is case-insensitive.
Per-directory depth limit — Limits the scan depth for a specific root directory. This is different from the global depth limit — it lets you scan one directory deeply while limiting another. For example, you might set \\fileserver\shared to depth 10 but limit \\fileserver\archive to depth 2.
To add a directory exclusion, click the appropriate Add button (by path, by name, or depth limit), enter the value, and click Save. To remove an exclusion, select it in the list and click Remove.
The right side of the Exclude tab handles account-level exclusions. These determine which security principals are included or excluded from the audit results.
Exclude disabled accounts — When enabled, any Active Directory account that is flagged as disabled is removed from the audit results. This is useful for cleaning up results — disabled accounts that still have permissions are often leftover from employee departures and don’t represent active access.
Tip: For security audits, you may want to keep disabled accounts visible to identify stale permissions that should be cleaned up. For NIS2 compliance audits specifically, it’s recommended to leave this unchecked so orphaned access is flagged in the compliance report.
Exclude unresolved accounts — When enabled, any SID that cannot be resolved to an account name is removed from the results. Unresolved SIDs (shown as raw SID strings like S-1-5-21-...) typically indicate accounts that have been deleted from Active Directory but still have permissions on folders.
Like disabled accounts, unresolved SIDs are often a security concern worth investigating. Leave this unchecked if you want to identify orphaned permissions.
You can exclude individual accounts from the audit results in two ways:
By account name (exact match) — Excludes a specific security principal by its exact account name. This is useful for excluding well-known service accounts or built-in accounts that you don’t need to audit. Click Exclude principal to browse Active Directory and select the account. The account’s SID is stored, so the exclusion works even if the account is later renamed.
By account name (contains) — Excludes any account whose name contains the specified text. For example, entering “svc_” would exclude all accounts with names like “svc_backup”, “svc_monitor”, “svc_sql”, etc. The match is case-insensitive. This is useful for excluding entire categories of service accounts by naming convention.
Directory and account exclusions work together during the audit:
This means directory exclusions improve performance (fewer folders to scan), while account exclusions only affect what’s displayed in the results (all folders are still scanned).
| Goal | What to exclude |
|---|---|
| Skip temp and cache folders | Directory name: “temp”, “cache”, “Recycle” |
| Audit only top-level permissions | Global depth limit: 0 or 1 |
| Hide built-in Windows accounts | Account name contains: “NT AUTHORITY” |
| Remove deleted user remnants | Enable “Exclude unresolved accounts” |
| Focus on active access only | Enable “Exclude disabled accounts” |
| Skip a specific archive share | Directory path: \\server\archive |