How to discover where security groups are applied

Posted on 2007-10-16
Last Modified: 2013-12-04
How do I determine what folders a security group is applied to?  I know the group, I know the members of the group, but I don't know where the group is applied.

I have a 2003 active directory network.
Question by:NFCC
    LVL 30

    Accepted Solution

    This is a common question with a not-so-simple answer.  Because Active Directory uses Discretionary Access Control Lists, a security group can be put into use to secure any resource anywhere on your network, including within AD as well as resources on a file server.

    You can view permissions within Active Directory using the dsrevoke.exe command-line tool (free download, Google for the most current link), or cacls.exe to view permissions that have been assigned to one or more file systems (cacls is also a free download.)

    If you have a lot of servers and/or a somewhat forgiving userbase, the simplest way to determine where a security group is in use is to convert it to a distribution group and then sit back and see who complains that they can't access XYZ resource anymore.
    LVL 19

    Assisted Solution

    Yup, unfortunately you'll either have to go through each and every resource manually, or use some 3rd party resource audit/inventory tool. There are some free ones also, try WinAudit:

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
    I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now