Permissions Reporter helps businesses of all shapes and sizes manage their NTFS file system permissions. In this article, we'll discuss the topics of performance and workload scalability.
Performance Characteristics
Permissions Reporter pairs an advanced multi-threaded workload analysis engine with a proprietary in-memory database to deliver superior performance. However, there are many factors that can affect the speed and scalability of any given file system security analysis, including:
- Storage device performance
- Product workload & configuration
- Available resources on the host machine
Let's take a closer look at some of these factors, and then conclude with a brief discussion on how you can also limit CPU and I/O resource usage when needed.
Storage Device Performance
Storage device type has a significant impact on file system permissions analysis performance. In tests executed against a local SSD with fast network connectivity to Active Directory, our tests regularly analyze millions of files in minutes - even with all program features enabled.
In real-world reporting scenarios, the storage devices that you analyze with Permissions Reporter will be subject to I/O contention. Further, the file system analysis itself will create I/O - thereby potentially slowing storage response times for users.
Best practice: Use the built-in scheduling capabilities of Permissions Reporter to execute and export NTFS permissions reports outside of normal business hours. See our Auditing NTFS Permissions guide for detailed scheduling instructions. Note that XML data exports can be re-imported directly by Permissions Reporter at a later time.
Product Workload & Configuration
How you configure Permissions Reporter matters a great deal. The product offers a wide range of features and functions, each of which affects workload performance.
When configuring your Permissions Reporter project, first carefully consider the desired outcome. For example, if you configure the project to analyze a massive networked storage device with all features enabled and without any filters, the resulting permissions report is probably going to contain far more data than will be useful.
Let's briefly look at the project settings that most strongly affect performance and scalability to better inform your configuration choices.
- Project folders - Tune the project paths to constrain workload scope.
- File permissions report - Consider disabling if you don't need file-level permissions data.
- File owners report - Consider disabling if you don't need file ownership data.
- Group member extraction - Consider disabling if you don't need to see group members in reports.
- Scan filter - Use filters to limit the data you're collecting to specific users, groups, and more.
Best practice: Disable product features you don't require, and use scan filtering to limit the amount of data returned by any given project configuration. Create reports that contain reasonable, actionable quantities of data.
Path & Principal Exclusions
Permissions Reporter 5 introduces expanded exclusion options that can dramatically reduce scan times and memory usage by skipping content that isn't relevant to your security analysis.
Path Exclusions
The Excluded Paths tab in project settings now offers several new options for excluding folders that typically don't require permissions analysis:
- DFS links - Skip Distributed File System link traversal to avoid duplicate scanning.
- Offline (cloud) folders - Exclude cloud-synced folders that may trigger unnecessary downloads.
- Virtual folders - Skip Windows Container Isolation (WCI) and Projected File System (ProjFS) folders.
- Mount points and symbolic links - Avoid following reparse points that may lead outside your intended scope.
- Hidden and system folders - Exclude operating system folders that rarely require auditing.
- Depth limits - Stop scanning beyond a specified folder depth level.
Principal Exclusions
The new Excluded Principals tab provides quick toggles to exclude common system accounts from folder permissions reports. This reduces noise without requiring complex filter rules:
- SYSTEM account (S-1-5-18)
- Built-in Administrators group (S-1-5-32-544)
- CREATOR OWNER and CREATOR GROUP
- TrustedInstaller
- NT SERVICE accounts
- LOCAL SERVICE and NETWORK SERVICE
- Application Package authorities (S-1-15-*)
Best practice: Use path exclusions to skip cloud storage, DFS links, and virtual folders when scanning local or network storage. Use principal exclusions to reduce noise from system accounts that appear on nearly every folder.
File Report Exclusions
The file permissions report can be one of the most resource-intensive features, especially on file servers with millions of files. Permissions Reporter 5 adds new exclusion options to help focus this report on files that matter:
- File attribute exclusions - Skip system, hidden, or temporary files.
- File pattern exclusions - Exclude files matching specific patterns (e.g., *.tmp, *.bak, Thumbs.db).
- Maximum entry limits - Cap the number of file report entries to prevent runaway memory usage.
Best practice: Configure file pattern exclusions to skip temporary files, backup files, and other artifacts that don't require security analysis. This can reduce file report size by 50% or more in many environments.
Available Host Machine Resources
Deciding where to install and run Permissions Reporter involves two primary qualifying metrics - memory availability and network connectivity.
As noted above, Permissions Reporter uses a special in-memory report data representation that helps to maximize performance. This is an explicit design decision - we want users to be able to query file systems of any size to construct useful permissions reports in a reasonable amount of time.
If you find yourself encountering memory related errors during a scan with Permissions Reporter, then you'll need to reduce the working project scope (see above) or make more memory available to the host operating system.
Network connectivity speed is also a significant factor in any permissions analysis that involves remote file systems. Use the fastest connection possible to reduce the lag associated with the remote file system scanning process and querying Active Directory for account data.
Best practice: Run Permissions Reporter on a domain member computer with plenty of RAM and fast network connectivity.
Global Performance Options
The Performance tab in Global Options provides settings that affect scan performance and resource usage across all projects.
Active Directory Options
Permissions Reporter 5 adds several new options that control Active Directory query behavior:
- Resolve historical SIDs - When enabled, Permissions Reporter queries the Global Catalog to resolve SIDs found in the sidHistory attribute of migrated accounts. Disable this option if you don't have migrated accounts or need faster scans. See SID History Support for details.
- LDAP referral chasing - Controls whether Permissions Reporter follows LDAP referrals during cross-domain queries. Disabling this can improve performance in single-domain environments or when cross-domain resolution isn't needed.
- LDAP query timeout - Sets the maximum time (5-300 seconds) to wait for Active Directory queries to complete. Increase this value if you experience timeouts in slow network environments; decrease it to fail faster when domain controllers are unreachable.
I/O and Threading Options
Low priority I/O mode causes Permissions Reporter to operate in a special "background" I/O mode available in Windows, lowering scheduling priority for disk and memory operations. This helps Permissions Reporter "defer" to other processes that might require storage resources.
The Threading Model setting controls how many threads are used for file system analysis. Options range from Single threaded (lowest resource usage) to Hyper-aggressive multi-threaded (fastest performance when network latency is the bottleneck).
Best practice: For scheduled overnight scans, use aggressive threading for maximum speed. For scans during business hours, consider single-threaded mode with low priority I/O to minimize impact on users. Disable SID history resolution and LDAP referral chasing if you don't need these features.