RE: Automate group membership validation

If you were on a 2000/2003 domain, you could use a LDAP query since any
account that authenticates by default has read access to see who's in
groups etc. So once you migrate to 2000, you could set up a webpage
based on supplied credentials show the list of group members using ldap.
You could even have it so they could add/delete users if you gave them
rights in AD to do so.

-----Original Message-----
From: benoit.fortin@xxxxxxx [mailto:benoit.fortin@xxxxxxx]
Sent: Friday, March 10, 2006 9:58 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Automate group membership validation


The company for which I work has a security policy that I have to comply
with. According to this policy, all grouplist providing access to shared
information must be reviewed every 6 months.

I have about 100 different folders, on only one file server, with
different NTFS permissions to manage. Each of those folders has a owner,
and the owners have the responsability to review who can access their

The security on each folder contains only one group of users and each
group is only assigned to one folder. For example, the folder "folder01"
would only have the "folder01group" group assigned to the folder with
Modify permissions. The different ACLs are only applied on the root of
these folders - so the folder "folder01\subfolder01" will have the same
permissions has its parent (folder01group has Modify permissions).

The domain we are using right now is running on NT domain controllers,
but we are planning to migrate to AD soon. The file server is running
Windows 2000.

Now, what I would like to find is a way to automate the management of
those permissions. Here are some of the solutions could help me with
complying with the new policy :

Solution example number 1 : The owners of the different folders go on
some website (or maybe on some other software on a share). They logon
using some username and password, and then they can view the members of
the different user groups associated with the folders that they manage.
They can validate the group and maybe send an e-mail to the Help Desk so
we can remove the users.

Solution example number 2 : Same as solution 1, except that they can now
manage the removal of users in their groups (the right would be
delegated through AD). However, I don't want them to have to use some
user manager. They have to get an easy interface where all they see is
the folders names and users names.

Solution example number 3 : Some software running somewhere extracts the
group membership and send e-mails to the owners of the folders each

Anyone here is using a similar setup, or anything similar that could
help me comply with this policy? Or anyone knows some tools that could
help me?


B. Fortin



Relevant Pages

  • RE: Automate group membership validation
    ... You can use Dumpsec tool to generate group membership, ... information which the owners can validate. ... different NTFS permissions to manage. ... Each of those folders has a owner, ...
  • Re: NTFS Security Question.
    ... A subordinate object DOES not inherit the PARENT perms (in ... will assume "Nebulous" permissions that refer to the LINK ... The trick is to PROPOGATE to all FILES (not Folders and Files - that would ... Since Windows 2000 deny NTFS permission does not work ...
    ... Did as you suggested and turned auditing on for the system and folders ... that is setting the wrong permissions of the folders ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    ... the ISA Reports still fail because ... I can change the permissions manually ... on the ISALogs and ISASummaries folders ... Microsoft CSS Online Newsgroup Support ...
  • Re: Personal Media Drive
    ... > much more knowledgeable about Windows than I am. ... You restrict access by assigning permissions to drives, folders and files. ...