NetTools has the capability to compare the security descriptors or permissions of two objects, and display which permissions are common between the two objects. The objects are not limited to objects of the same type, any objects type can be compared against another object.
The capability is provided using the context menus in NetTools and allows the objects to be compared to be be selected.
The menu items are called:
- Select left SD to compare
- Compare to 'left object' SD
The Select left SD to compare context menu item is displayed when an object can be selected. The Compare to 'left object' SD menu item will displayed the left object has been selected. By simply selecting the left object and then right clicking on another object Compare to menu items will be displayed. When the Compare to 'left object' SD is selected the Compare Permissions dialog is displayed.
The Compare Permissions dialog will display which permissions match between the two objects. The dialog will show the permissions that have been assigned to each object. The comparison is completed using the permissions on the left object, the right object permissions are search to see if there is a match for each of the left object permissions in turn. If there is a match the corresponding permissions of the right object is shown on the same line as the left object. As each permission on the left object is matched against all the permissions in the right object, it is possible for the left permission to match one or more permissions, based on the match logic all matches will be displayed.
The matching logic support three match types:
Permissions are an exact match, shown as 
Permissions are a close match, shown as 
Permissions don't match, shown as 
The matching logic is based on the following comparisons:
- Trustee is the same
- Access type, allow or deny
- Specific Permissions assigned
- Which attributes or objects the permissions apply to
- How the permissions was Inherited
- How the permissions will be inherited
For a exact match all of the above must match, for close match only the first four need to match, if any of the first four fail then they don't match.
Permissions icon and the center column shows the match result. A gray icon means that there is no matching permission. A coloured icon means that a match was found and the center icon will report the type of match.
The center '*' column can be used to filter what entries are displayed. When you click on the center column the filter menu is displayed.
The filter options are:
Show All - will show all matching and non-matching permissions (default)
Show Matches - will show both exact and close matching permissions
Don't Match - will show all the non-matching permissions
Same Permissions - only the permissions that are exactly matches
Close Permissions - only the permissions that are close matches
Only Left - displays only the permissions for the left object
Only Right - display only the permissions for the right object
By default the Compare Permissions option will read the permissions of the selected objects when the dialog is displayed, however, there is the option to read the left objects permissions when the object is selected. This provide the ability to view the changes that have been made to an object, by first saving the SD of an object, then make the changes to the permissions and do a compare against the same object.
When selecting the Left object hold down the Shift key and select the Select Left SD to compare, this will cause the permissions of the object to be read and saved. Now the context menu will show (Saved) after the Compare option.
