Documentation

Permissions Reporter Help

Excluded Principals

The Excluded Principals settings allow you to filter out common Windows system accounts and service principals from the folder permissions report. This reduces noise and helps you focus on the user and group permissions that matter most for security auditing.

Accessing Excluded Principals Settings

Open your project settings and select the Excluded Principals tab. This tab contains checkboxes for each category of principals that can be excluded.

Exclusion Options

Enable any of the following options to exclude matching principals from the folder permissions report:

SYSTEM Account (S-1-5-18)

Excludes the Local System account, which is used by the Windows operating system and many Windows services. This account typically has Full Control permissions on system folders and is present on virtually every Windows folder.

Built-in Administrators Group (S-1-5-32-544)

Excludes the local Administrators group, which has full administrative access to the computer. Members of this group have unrestricted access to all local resources by default.

CREATOR OWNER and CREATOR GROUP (S-1-3-0, S-1-3-1)

Excludes the CREATOR OWNER and CREATOR GROUP placeholder principals. These are special identities that Windows replaces with the actual owner or primary group when permissions are inherited to child objects. They commonly appear in default permission templates.

TrustedInstaller

Excludes the Windows Modules Installer service identity (NT SERVICE\TrustedInstaller). This account owns and has Full Control over Windows system files and is used to protect operating system components from modification.

NT SERVICE Accounts (S-1-5-80-*)

Excludes all virtual service accounts in the NT SERVICE domain. These are per-service identity accounts automatically created by Windows for services configured to run under virtual accounts. Examples include NT SERVICE\MSSQLSERVER and NT SERVICE\Spooler.

LOCAL SERVICE and NETWORK SERVICE (S-1-5-19, S-1-5-20)

Excludes the two built-in service accounts used by Windows services:

  • LOCAL SERVICE - A limited-privilege account for services that don't need network access
  • NETWORK SERVICE - A limited-privilege account for services that need to access network resources

Application Package Authorities (S-1-15-*)

Excludes principals in the Application Package Authority, which includes:

  • ALL APPLICATION PACKAGES (S-1-15-2-1)
  • ALL RESTRICTED APPLICATION PACKAGES (S-1-15-2-2)
  • Individual app package SIDs for UWP/Windows Store applications

These principals are used by the Windows app container security model for sandboxing modern applications.

Quick Actions

Use the Enable All and Disable All buttons to quickly check or uncheck all exclusion options at once.

Scope of Exclusions

Important: Principal exclusions affect only the folder permissions report. They do not affect:

  • The File Permissions Report - which has its own filtering options
  • The Principals Report - which shows all discovered principals
  • Share Permissions - which report all share-level permissions

For more advanced exclusion scenarios, such as excluding specific users or groups by name pattern, or excluding principals based on permission type, use the Scan Filter settings.

When to Use Principal Exclusions

Consider enabling these exclusions when:

  • You want to focus on user and group permissions rather than system accounts
  • Your reports are cluttered with Windows default permissions
  • You're auditing for unauthorized access and need to filter out expected system entries
  • You're comparing permissions across systems and want to ignore standard Windows principals

The excluded principals will not appear in the folder permissions grid or exported reports, making it easier to identify the permissions that require attention.

PRODUCT

FEATURES

SUPPORT

SAFE. TRUSTED. GUARANTEED.

  • 100% malware free
  • 100% spyware free
  • 100% adware free
  • 100% quality software