Permissions Reporter (CJWDEV) vs Risk-Scoring Auditors: More Than Just a Permissions List
CJWDEV Permissions Reporter is the most recognized standalone NTFS permissions reporting tool on Windows. It's been around for years, it works, and for many sysadmins it's the default answer when someone asks "how do I get a permissions report for this file share?"
So why would you consider anything else?
The answer isn't that Permissions Reporter is bad. It does what it says — reports permissions. The gap is in what it doesn't do: tell you which permissions are dangerous, produce timestamped audit evidence, or compare permissions between two points in time.
What CJWDEV Permissions Reporter does
Permissions Reporter walks a directory tree and outputs the NTFS permissions at each level. You get a report showing which principals have which access rights on which folders. The output can be viewed in the application's UI, exported to HTML, or saved as a CSV.
For a sysadmin who needs to see what permissions exist on a file share, this is useful. You can scan a path, browse the results, and answer the question "who has access to this folder?"
The tool costs $199+ for a single license and has been the go-to in this space largely because there hasn't been meaningful competition at the standalone desktop tool level.
Where the gap appears
No risk scoring
Permissions Reporter tells you what permissions exist. It doesn't tell you which ones are dangerous.
A file share with 5,000 folders and 40,000 ACL entries produces a massive report. Scrolling through it looking for "Everyone" or "Authenticated Users" with Write access is manual work. Finding orphaned SIDs requires you to recognize SID strings visually. Identifying broken inheritance requires checking each folder's inheritance status individually.
A risk-scored report does this work for you: every entry evaluated against risk criteria, flagged by severity, and sorted into a separate findings file. The full report exists for completeness — but the risk report is the action list. This is the difference between a data dump and an audit.
No structured evidence pack
Permissions Reporter's output is tied to its application. You can export to HTML or CSV, but the tool doesn't produce a self-contained evidence pack with a summary, an inventory, a risk report, and a machine-readable JSON — timestamped and ready to archive or hand to an auditor.
For compliance-driven audits (SOC2, HIPAA, ISO 27001), the output format matters as much as the content. An HTML file generated from a tool's export function is usable but not ideal. A timestamped folder containing a summary, a full CSV, a risk CSV, and a JSON file is purpose-built for audit evidence.
No delta comparison between runs
Permissions Reporter shows the current state of permissions. It doesn't compare the current state against a previous scan to show what changed.
For quarterly reviews, delta comparison is the most useful feature: "Here's what the permissions looked like last quarter, here's what they look like now, and here are the specific changes." This is what auditors ask for when they say "show me your access review process" — evidence that you reviewed permissions at two points in time and documented the differences.
Without delta comparison, quarterly reviews require manually comparing two exports side by side — which is tedious enough that most people don't do it, which means the quarterly review becomes a quarterly re-scan with no trend analysis.
Nagware behavior
CJWDEV's trial experience is well-documented in forums: the trial version includes persistent reminders and limitations that feel more aggressive than most sysadmin tools. This isn't a fatal flaw, but it colors the experience and makes evaluation less pleasant than it should be.
The honest comparison
| Capability | CJWDEV Permissions Reporter | Risk-scoring auditor |
|---|---|---|
| Permission enumeration | ✅ Yes | ✅ Yes |
| Inherited vs explicit separation | ✅ Yes | ✅ Yes |
| SID resolution | ✅ Yes | ✅ Yes |
| Risk scoring (Everyone, orphaned SIDs, broken inheritance) | ❌ No | ✅ Built in |
| Structured evidence pack (summary + CSV + risk report + JSON) | ❌ No (export only) | ✅ Automatic |
| Delta comparison between runs | ❌ No | ✅ Pro+ |
| CLI for automation | ❌ No | ✅ Pro+ |
| Price | $199+ | $149-349 |
| Trial experience | Nagware | Watermarked evidence, no nag |
When CJWDEV is enough
Permissions Reporter is sufficient when:
- You need a permissions report, not a risk assessment — you'll identify the dangerous entries yourself
- You don't need structured audit evidence — the HTML or CSV export meets your documentation needs
- You don't need delta comparison — you review the current state without comparing to a baseline
- You're familiar with the tool and have an existing workflow built around it
If Permissions Reporter is already working for you and your auditor accepts its output, there's no compelling reason to switch for the sake of switching.
When risk scoring changes the equation
A risk-scoring auditor becomes the better choice when:
- Your file server has thousands of folders and you need the dangerous entries flagged automatically rather than found manually in a 40,000-row report
- Compliance requires documented evidence with timestamps, summaries, and structured output — not just an export from a reporting tool
- Quarterly reviews need trend analysis — delta comparison between runs shows what changed, not just what exists
- You want CLI automation — script permissions audits into scheduled jobs or monitoring workflows
- Budget is a consideration — $149 for a tool with risk scoring, evidence packs, and CLI beats $199+ for a tool without them
What to do next
If you're evaluating NTFS permissions reporting tools and CJWDEV Permissions Reporter is on your shortlist, it's worth comparing the output side by side.
NTFS Permissions Auditor adds risk scoring, a structured evidence pack, and delta comparison (Pro+) to the same core capability. The trial scans 500 paths with full risk scoring. Run it on the same file share you'd scan with Permissions Reporter and compare what each tool produces — not just the data, but the analysis and the output format.
Modern NTFS permission auditing
Risk-scored reports with evidence packs your auditor will accept. Trial scans 100 paths free.