Re: Security User access question

From: Andrew Mitchell (amitchell_at_removecasey.vic.gov.au)
Date: 04/14/04 

Date: Wed, 14 Apr 2004 06:57:45 -0700

"rgarrow.merchant@sikorsky.com" <anonymous@discussions.microsoft.com> said

> Hi,
>
> We are a very large org and we are looking for a way
> either via a product or program that we could look at all
> of our user to see what groups > folder > files > access
> they have across the entire network.
>
> I know this is a lot to ask but I am putting this out to
> you all as I do believe the answer is out there.
>
> I am not even sure if Active Directory can provide this
> information on a user.

Active directory alone doesn't store this information, but AD combined with
ACL information from the file system would.

> I do realize this would require a
> database but is there such a product that is able to go
> out and check every user and there access down to file
> access????

I don't know of any programs off the top of my head that could do this, but
it could be done with vbscript. You would need to do it the other way
around though. That is instead of enumerating users and determining what
files and directories they have access to, you would need to enumerate each
file and directory then, for each one, find out which user or group had
permissions, what permissions they have and, in the case of a group,
enumerate the group membership to find out the users.

It wouldn't be simple (or quick to run) but it could be done.

The other option would be to combine vbscript with perms.exe (from the
resource kit) The script would need to enumerate all users then, for each
user, shell out to perms.exe and pipe the output (using >> to append) to a
text file.

eg. To determine what permissions Fred has on a server called Server1 on
the c: drive you would shell out to:
PERMS.EXE Server1\Fred C:\*.* /S >>PERMS.TXT

The only problem with usings Perms is that it has problems when the user
has been granted permissions through membership of local or global groups,
so the pure VBScript method I mentioned earlier would be a lot more
accurate.

Andy.

Relevant Pages

  • Re: Security User access question
    ... >> I am not even sure if Active Directory can provide this ... >it could be done with vbscript. ... >permissions, what permissions they have and, in the case ... >enumerate the group membership to find out the users. ...
    (microsoft.public.security)
  • Re: Folder Permissions
    ... have permissions to that folder. ... when I view a group's properties in Active Directory, ... But please keep in mind, the actual folders on a server need to be enumerated, not AD, to find what groups have permissions on the resources themselves. ... Below are links with suggestions on how to enumerate drive permissions that will provide a report. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Cant assign calendar permissions to a group
    ... to be able to use a security group so that I can manage membership of ... By testing I have verified that a resource calendar's permissions can ... integral concept within Active Directory. ... Only individual users can be granted membership. ...
    (microsoft.public.exchange.admin)
  • Re: Auditing a Domain from a Guest Account
    ... In NT4 Guests can enumerate users & groups and shares, ... NTFS permissions usually not; you can only enumerate what you can ... Am I nuts for even entertaining the notion that a guest account ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: Assigning members to Security Global Groups
    ... On the OU that the groups and users exist, you can delegate these permissions to a junior admin to do a variety of tasks, without them having additional permissions elsewhere in the domain. ... Best Practices for Delegating Active Directory Administration ...Dec 5, ... Administrative responsibilities for delegating Active Directory management are divided between: Service owners, ...
    (microsoft.public.windows.server.active_directory)