Solved

Find unused groups in Active Directory

Posted on 2004-04-15
4
969 Views
Last Modified: 2007-12-19
Are there any utilities that search for groups in active directory that are unused and  don't have any permissions assigned to them?

W2k Server.

Thanks
0
Comment
Question by:wickednz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 3

Expert Comment

by:following
ID: 10841735
Here is a link to an excellent post about searching AD for groups that have no members:

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=uWSeykPNDHA.2408%40TK2MSFTNGP10.phx.gbl&rnum=2

Although this looks like a good place to start for you, be sure to note the limitations that are described.

Hope this helps,
-jdm
0
 
LVL 3

Expert Comment

by:following
ID: 10841793
This one may be of interest to you as well:

http://www.rlmueller.net/Document%20Domain%20Groups.htm

jdm
0
 

Author Comment

by:wickednz
ID: 10854703
Thanks - those scripts could be useful but I'm more after something that can find out if a group is used anywhere on a server - eg: having directory rights
0
 
LVL 3

Accepted Solution

by:
following earned 250 total points
ID: 10859852
Aha, I'm sorry that I misunderstood the question.  In that case, the simplest way I know of to find out if a group is used anywhere on a server:

 - Run Somarsoft's freeware DumpSec utility (formerly DumpACL) on the server
 - Use the utility's built-in search capabilities to search for instances of the groups in question
 - If you find an instance of a group listed, you will be able to see on which files/folders it is being used

DumpSec (freely downloadable from http://www.systemtools.com/somarsoft) may be used to dump the permissions for the file system, printers, registry, and shares.  If you need to dump the permissions on active directory objects, use DSACLS from the Windows 2000 Support Tools (on the server CD).  Redirect its output to a text file and use an editor such as notepad to search for the groups in question.

Hope this helps,
-jdm
0

Featured Post

Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question