Profile Options

The Options tab in the profile editor controls how the audit processes permissions and group memberships. These settings affect the depth of information collected and the scope of the audit.

Group Member Expansion

Get Group Members

When a folder’s ACL grants permissions to a security group (e.g., “Finance Team”), the audit result shows that group as having access. But often you need to know which individual users are in that group.

Get group members queries Active Directory for each group’s membership list and includes the individual members in the audit results. This is essential for answering questions like “Which users can access this folder through group memberships?”

When enabled, each group permission entry in the results becomes expandable — you can see the group itself and all its direct members listed underneath it.

When to enable: Recommended for most audits. Without group member expansion, you only see group names and won’t know which specific users have access.

Performance impact: Adds time to the audit because each group requires an Active Directory query. For environments with many groups or very large groups, this can significantly increase audit duration.

Get Nested Group Members

Active Directory allows groups to contain other groups (nested groups). For example, “All Employees” might contain “Finance Team”, which contains “Finance Managers”. A user in “Finance Managers” effectively has all the permissions granted to any of these parent groups.

Get nested group members recursively resolves group-within-group memberships, showing the complete chain of access. This gives you the full picture of who can access what, even through deeply nested group structures.

This option is only available when “Get group members” is enabled. Disabling group member expansion automatically disables nested expansion.

When to enable: Recommended for security audits, compliance reviews, and any time you need a complete picture of effective access. Skip it only if your environment doesn’t use nested groups or when performance is a concern.

Performance impact: Can significantly increase audit time in environments with deep nesting or very large group hierarchies, since each nested group requires additional AD queries.

Export Options

Exclude Groups from Excel Export

When enabled, group account entries are excluded from Excel (XLSX) exports — only individual user accounts are included. The groups are still shown in the application’s results view; this setting only affects what appears in the exported file.

This is useful when you need a flat list of individual users and their permissions for a report or spreadsheet analysis, without the group rows that act as containers.

Advanced File System Access

Enable Advanced File System Access grants the application elevated privileges to read NTFS metadata that is normally restricted, even for administrators. Specifically, it enables two Windows privileges:

• SE_BACKUP_NAME — Allows reading all file metadata and content, bypassing standard access control checks
• SE_RESTORE_NAME — Allows reading files in protected areas of the file system

When to enable: Use this when the audit encounters “Access denied” errors on folders that you know you should be able to read, or when you need to perform an in-depth audit that bypasses standard file access restrictions. This is particularly useful for:

• Auditing folders where ownership has been assigned to another user
• Scanning protected system folders
• Performing comprehensive backup-level audits

Requirements: The user running NTFS Permissions Auditor must be a local administrator on the machine. The privilege elevation only applies to the audit process and does not permanently change any system settings.

When not to enable: Leave this off for standard audits where your account already has read access to the target folders. Enabling it unnecessarily does no harm, but it’s good practice to use the minimum privileges needed.

NIS2 Compliance Profile

NIS2 Compliance Profile marks this profile for use with NIS2 compliance auditing and reporting. NIS2 (Network and Information Systems Directive 2) is the EU cybersecurity regulation that requires organizations operating critical infrastructure to demonstrate proper access controls and regular security assessments.

When this checkbox is enabled:

• The profile appears with an NIS2 badge on the home screen
• Audit results from this profile can be used to generate NIS2 Compliance Reports (Pro feature) — a PDF document containing an executive summary, risk assessment, and metrics mapped to NIS2 articles
• The NIS2 Dashboard on the home screen tracks the compliance status of this profile, including whether audits are being run regularly (NIS2 recommends monthly assessments)

Recommended settings for NIS2 profiles:

• Get group members: Enabled — NIS2 requires understanding of effective access
• Get nested group members: Enabled — Complete access chain visibility
• Exclude disabled accounts: Disabled — Disabled accounts with permissions are a risk indicator that should be visible in compliance reports
• Exclude unresolved accounts: Disabled — Orphaned SIDs are flagged as risks in the NIS2 compliance report

See NIS2 Compliance Report for details on generating the compliance PDF.

Default Filter

At the bottom of the profile editor, you can assign a saved filter to the profile. When a filter is assigned, it is automatically applied to the audit results every time you run this profile. This saves time if you always want to see the same filtered view.

To remove the assigned filter, click the Clear button next to the filter selector.

Filters are created and managed in the Filter Manager — see Filter Manager for details on creating and editing filters.