Netwrix Access Analyzer MCP Server

An MCP server implementation specifically engineered for integration with Netwrix Access Analyzer (NAA) within the Claude Desktop ecosystem. Primarily supports connectivity for both Active Directory (AD) and File System auditing components.

Core Capabilities

Seamless MSSQL database linkage established upon service initiation.
Interactive discovery and mapping of underlying database structures.
Capability to execute arbitrary Transact-SQL commands.
Access to proprietary auditing functions for Netwrix Access Analyzer File System scans.

System Prerequisites

This server component necessitates the following software prerequisites for operational success:

Python interpreter, version 3.12 or newer.
The official MCP Software Development Kit (SDK).
pyodbc library, minimum version 4.0.39 (essential for ODBC/SQL communication).
python-dotenv package, minimum version 1.0.0 (for secure environment variable handling).
A system-level installation of the Microsoft ODBC Driver 17 for SQL Server or a more recent iteration.

NAA Prerequisite Check

Operation of this server mandates that prerequisite security assessment scans (either File System or Active Directory) have been previously executed and completed within the Netwrix Access Analyzer platform.

Exposed Functionality Set

System Scope	Endpoint Name	Functionality Summary
Active Directory	Get-ADEffectiveMembership	Calculates and reports effective group membership across AD, supporting granular filtering.
Active Directory	Get-ADExceptions	Fetches recorded exception reports from AD configurations, optionally filtered.
Active Directory	Get-ADPermissions	Retrieves granular access control lists (ACLs) from the AD permissions view.
Active Directory	Get-DomainControllers	Generates a roster of currently active domain controllers.
Active Directory	Get-CertificateVulnerabilities	Identifies known security weaknesses associated with deployed certificates.
Active Directory	Get-ADCARights	Lists rights assignments related to Active Directory Certificate Authorities (CA).
Active Directory	Get-ADSecurityAssessment	Returns comprehensive results from prior AD security evaluations.
Active Directory	Get-ADUsers	Queries and returns specified user account attributes with filtering.
Active Directory	Get-ADGroups	Queries and returns specified group object attributes with filtering.
Active Directory	Get-ADComputers	Queries and returns specified computer object attributes with filtering.
Database	Connect-Database	Establishes the initial connection session to the configured MSSQL instance.
Database	Show-ConnectionStatus	Displays the current operational state of the database linkage.
Database	Show-TableSchema	Renders the structural definition (schema) for a designated database table.
File System	Discover-SensitiveData	Locates and reports instances where defined DLP patterns match content on file shares.
File System	Get-OpenShares	Identifies network shares exhibiting overly permissive access grants to broad user sets.
File System	Get-TrusteeAccess	Maps all resources accessible by a specific security principal (trustee).
File System	Get-TrusteePermissionSource	Determines the origin point for a trustee's granted permissions on a target object.
File System	Get-ResourceAccess	Calculates the effective permissions held by users/groups for a given file path.
File System	Get-UnusedAccess	Highlights access permissions held by accounts that have not utilized them recently.
File System	Get-RunningJobs	Lists the active or pending jobs managed by Netwrix Access Auditor components.
File System	Get-ShadowAccess	Retrieves detailed information regarding potential 'shadow' or hidden access paths.

Deployment Protocol (For Claude Desktop)

Install Claude Desktop Application
Obtain the client software from the official distribution point: https://claude.ai/download
Proceed with the standard installation routine appropriate for your host OS (Windows, macOS, or Linux).
Source Code Retrieval sh git clone https://github.com/netwrix/mcp-server-naa.git cd mcp-server-naa
MCP Integration Configuration
Configure the Claude Desktop management interface by integrating the following setting block, ensuring the uv executable path is correctly resolved: "NAA_AD": { "command": "/path/to/uv", "args": [ "run", "--with", "pyodbc", "fastmcp", "run", "/path/to/mcp-server-naa/run.py" ], "env": { "DB_SERVER": "HOST OR IP", "DB_NAME": "DATABASENAME", "DB_USER": "USERNAME", "DB_PASSWORD": "PASSWORD", "DB_USE_WINDOWS_AUTH": "FALSE|TRUE" } }

Troubleshooting Guides

Database Connectivity Faults

If connection attempts fail, systematically check the following points:

Confirmation that the target SQL Server is operational and reachable across the network segment.
Scrutinize supplied authentication details stored in the .env configuration file.
Validate that the required ODBC driver software is present and correctly registered on the host machine.
Review server process logs for granular diagnostic error messages.

Client Integration Failures

If the Claude Desktop runtime cannot locate the uv command utility:

Manually provide the absolute, qualified file path to uv within the configuration object (use system commands like which uv or where uv to determine the location).
Ensure Claude Desktop has been completely relaunched subsequent to any modifications made to its MCP configuration files.
Examine the dedicated logs generated by the Claude application for related initialization errors.

User Assistance

For support regarding the utility's operation or interpretation of analysis outputs, please consult the official Netwrix Community Portal. Assistance is readily available there.