Re: generate a detailed list of account permissions

From: Tom Celica (Tom_at_DontReply.net)
Date: 03/30/05 

Date: Wed, 30 Mar 2005 17:01:28 GMT

Microsoft's Approach to granted privilages seems very Re-Active. We don't
have sufficient tools to enumerate broad privilages assigned to accounts.
We can check if an account has permissions on a single specific object but
not a variety of objects at once.

How do we Pro-Actively determine privilages assigned to accounts. We need
to wait until somthing bad happens then look thru logs to determine what
happened, and who did it, before we can discover that excessive privilages
have been assignet to various accounts.

-Tom

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uaYFIbTNFHA.2748@TK2MSFTNGP09.phx.gbl...
> That is frankly like looking for a needle in a haystack.
> You need to narrow things down. What are you looking
> for? Use of the account to grant permissions on C:\ ?
> in registry ? on Com components ? for user rights ?
> etc..
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Tom Celica" <Tom@DontReply.net> wrote in message
> news:Axf2e.4341$FN4.267@newssvr21.news.prodigy.com...
>> How can we generate a detailed list of the permissions directly assigned
> to,
>> and inherited to an individual account?
>>
>> Hello, we have an application we received from one of our parter
> companies.
>> It assigned some selective permissions to a particular account. It was
>> supposed to provide a log of the permissions it assigned but we cannot
>> locate that log file.
>>
>> I have tried lots of methods without success yet. Is there a Microsoft
>> tool? or can someone recommend a third party tool?
>> Thanks
>> -Tom
>>
>>
>
>

Relevant Pages

  • Re: Incoming E-Mail - cant create contact in OU
    ... account out of local administrator to attempt to find any denied access. ... I then added full permissions to my user account on both of these keys, ... local admin rights to the server hosting incoming email. ... what permission I need to give the app pool locally to avoid this issue. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Incoming E-Mail - cant create contact in OU
    ... account out of local administrator to attempt to find any denied ... I then added full permissions to my user account on both of these keys, ... that's for every app pool you create for every new web app on the ... local admin rights to the server hosting incoming email. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Win2k - Account Operator not working properly
    ... You very likely have other ACL issues other than what was mentioned and I can point them out here for you for free or you can pay someone $200-500 an hour to come check it out. ... In order for that to result in inheritence protection it means the schema had to be modified. ... set the account in the GUI to inherit from its parents. ... Used the delegation wizard, on the top level OU, to assign the desired permissions. ...
    (microsoft.public.windows.server.active_directory)
  • Consider Windows XP File Security and Group Policies
    ... If you are running Windows XP and are using the NTFS file system, ... Account from being able to purge its history footprint files. ... Changing Folder permissions to Read-Execute instead of Full ... you globally apply Full Control for the Administrators group and the SYSTEM ...
    (microsoft.public.windowsxp.general)
  • Re: Incoming E-Mail - cant create contact in OU
    ... account out of local administrator to attempt to find any denied access. ... I then added full permissions to my user account on both of these keys, ... local admin rights to the server hosting incoming email. ... what permission I need to give the app pool locally to avoid this issue. ...
    (microsoft.public.sharepoint.windowsservices)