• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 888
  • Last Modified:

How to discover where security groups are applied

How do I determine what folders a security group is applied to?  I know the group, I know the members of the group, but I don't know where the group is applied.

I have a 2003 active directory network.
2 Solutions
This is a common question with a not-so-simple answer.  Because Active Directory uses Discretionary Access Control Lists, a security group can be put into use to secure any resource anywhere on your network, including within AD as well as resources on a file server.

You can view permissions within Active Directory using the dsrevoke.exe command-line tool (free download, Google for the most current link), or cacls.exe to view permissions that have been assigned to one or more file systems (cacls is also a free download.)

If you have a lot of servers and/or a somewhat forgiving userbase, the simplest way to determine where a security group is in use is to convert it to a distribution group and then sit back and see who complains that they can't access XYZ resource anymore.
Yup, unfortunately you'll either have to go through each and every resource manually, or use some 3rd party resource audit/inventory tool. There are some free ones also, try WinAudit: http://www.pxserver.com/WinAudit.htm

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now