Need to list out all accounts that have permissions to a folder

Posted on 2009-02-23
Last Modified: 2012-05-06
I have some folders with many groups and accounts in it's permission list. I need to dump all the user accounts to a excel file. Can this be done with dsquery? If so how?

Question by:rdefino
    LVL 35

    Expert Comment

    by:Joseph Daly
    Im assuming when you say a folder you mean an OU in active directory?

    This can not be done with DSquery you will need to run dsrevoke on the folder.


    Author Comment

    It's just a folder in a directory structure that has certain permissions assigned to it.
    LVL 7

    Expert Comment

    use the command:

    cacls c:\windows or whatever your path is
    LVL 35

    Accepted Solution

    The dsrevoke syntax is as follows

    Using Dsrevoke
    Dsrevoke.exe has the following syntax:

    dsrevoke/report|/remove[/domain:domainname] [/username:username]

    [/password:password|*] [/root:domain/OU] securityprincipal

    Descriptions for each option are as follows:

    /report: Reports the explicit ACEs that are currently set for the specified security principal on OU objects in the specified domain or an OU subtree. By default, the command dsrevoke /report starts at the domain root and searches every OU below that root for explicit ACEs that are granted to the specified security principal. If you are sure that the permissions for a security group are set only on or below a specific OU, you can specify the scope of the search by using the /OU switch to make the search more efficient.

    /remove: Reports all explicit ACEs and then, after prompting for confirmation, removes the ACEs that are currently set for the security principal, including all inherited ACEs.

    /domain: The DNS or NetBIOS name of the domain in which the permissions are to be removed. This value must be specified only when the ACEs that you want to remove are set on OUs in a domain other than the domain of the logged-on user.

    /username: The user name of the user who is using the tool. This value is required when:

    The user is not logged on as an administrator.

    ACEs are being removed in a domain other than the domain of the logged-on user.

    /password: The password of the tool user. If the command is entered with an asterisk (*) in place of a password, the tool prompts the user for a password.

    /root: The OU or domain root at which to start the search for ACEs. If no value is specified, the search begins at the root of the specified domain. If no domain is specified, the search begins at the root of the domain of the logged-on user. When specifying a root domain or OU, you must use the distinguished name (for example, /root:OU=BusUnits=DC=DomainA,DC=com). If spaces occur in any part of the distinguished name, enclose the entire option in quotation marks (for example, /root:OU=Product Development,OU=Delegation,OU=Business Units,DC=DomainA,DC=com).

    /securityprincipal: The identity of the user or group in the form DomainName\UserName or DomainName\GroupName. Use the DNS name or NetBIOS name of the domain
    LVL 35

    Expert Comment

    by:Joseph Daly
    disregard my comments crokeefe has it.
    LVL 7

    Expert Comment


    cacls c:\windows >c:\testing.xls

    Author Comment

    That worked to the point of giving me the security group that have permissions to the folder. How would I modify that syntax to list all of the users with-in all of the security groups.

    LVL 7

    Assisted Solution

    Without downloading something like Hyena or any other tools, it is pretty difficult to pipe the format into something like dsquery or dsget to perform the query that you are looking for.  Attached is a script that I found a while ago, and I do not know who to give props to, but it is pretty awesome.  It basically goes to AD and lists all groups with descriptions and members into an HTML doc where you launched the program from.  Just copy the code into notepad and name it whatever you like with the VBS extension.  

    As for doing it in a command line....the closest that you will get will probably be something like the following:

    dsquery group -name NameOfYourGroup | dsget group -members | dsget user -samid>c:\whatever.txt

    This will pipe the groupname to get the members and list them by the sAMAccountName.  you can use this in combination with the CACLS command but I could not figure out how to pipe the information to the above command.  Your choice, but there it is.  Sorry it took so long to get back to you.

    ' VBScript program to document all groups in Active Directory. 
    ' Outputs group name, type of group, all members, and types of member. 
    ' Lists all groups that are members, but does not list the nested group 
    ' membership. 
    Option Explicit 
    Dim objConnection, objCommand, objRootDSE, strDNSDomain, strQuery 
    Dim objRecordSet, strDN, objGroup 
    Dim FileSystem, oFile 
    ' Open Text File for Output 
    Set FileSystem = WScript.CreateObject("Scripting.FileSystemObject") 
    Set oFile = FileSystem.CreateTextFile("GroupMemebrshipNew.html", True) 
    oFile.writeLine "<HTML><HEAD><TITLE>Group Membership for</TITLE><HEAD><BODY>" 
    oFile.writeLine "<h4><TABLE width=100% border=0 padding=0 cellspacing=0 valign=top>" 
    ' Use ADO to search Active Directory. 
    Set objConnection = CreateObject("ADODB.Connection") 
    Set objCommand = CreateObject("ADODB.Command") 
    objConnection.Provider = "ADsDSOObject" 
    objConnection.Open "Active Directory Provider" 
    Set objCommand.ActiveConnection = objConnection 
    ' Determine the DNS domain from the RootDSE object. 
    Set objRootDSE = GetObject("LDAP://RootDSE") 
    strDNSDomain = objRootDSE.Get("defaultNamingContext") 
    ' Search for all groups, return the Distinguished Name of each. 
    strQuery = "<LDAP://" & strDNSDomain _ 
    & ">;(objectClass=group);distinguishedName;subtree" 
    objCommand.CommandText = strQuery 
    objCommand.Properties("Page Size") = 100 
    objCommand.Properties("Timeout") = 30 
    objCommand.Properties("Cache Results") = False 
    Set objRecordSet = objCommand.Execute 
    If objRecordSet.EOF Then 
    Wscript.Echo "No groups found" 
    Set objRootDSE = Nothing 
    Set objConnection = Nothing 
    Set objCommand = Nothing 
    Set objRecordSet = Nothing 
    End If 
    ' Enumerate all groups, bind to each, and document group members. 
    Do Until objRecordSet.EOF 
    strDN = objRecordSet.Fields("distinguishedName") 
    Set objGroup = GetObject("LDAP://" & strDN) 
    ' OUTPUT 
    oFile.writeLine "<TR>" 
    oFile.writeLine "<TD width=20% valign=top bgcolor=black><font color=white><strong><u>" & "Group Name:" &_ 
    "</u></strong></font></TD><TD width=80% valign=top><strong>" &_ 
    objGroup.SAMaccountName & "</strong></TD>" 
    oFile.writeLine "</TR><TR>" 
    oFile.writeLine "<TD valign=top bgcolor=black><font color=white><strong><u>" & "Distinguished Name:" &_ 
    "</u></strong></font></TD><TD valign=top><strong>" &_ 
    objGroup.distinguishedName & "</strong></TD>" 
    oFile.writeLine "</TR><TR>" 
    oFile.writeLine "<TD valign=top bgcolor=black><font color=white><strong><u>" & "Description:" &_ 
    "</u></strong></font></TD><TD valign=top><strong>" &_ 
    objGroup.description & "</strong></TD>" 
    oFile.writeLine "</TR><TR>" 
    oFile.writeLine "<TD valign=top bgcolor=black><font color=white><strong><u>" & "Type:" & "</u></strong></font></TD><TD valign=top><strong>" & GetType(objGroup.groupType) & "</strong></TD>" 
    oFile.writeLine "</TR>" 
    oFile.writeLine "<TR><TD valign=top bgcolor=black><font color=white><strong><u>Members:</font></TD><TD align=left valign=top>" 
    oFile.writeLine "<TABLE width=70% border=0 cellspacing=0 cellpadding=0>" 
    oFile.writeLine "<Tr>" 
    oFile.writeLine " <TD valign=top><strong><u> Name </u></strong></TD>" 
    oFile.writeLine " <TD valign=top><strong><u> Account </u></strong></TD>" 
    oFile.writeLine " <TD valign=top><strong><u> Type </u></strong></TD>" 
    oFile.writeLine "</Tr>" 
    Call GetMembers(objGroup) 
    oFile.writeLine "</TABLE>" 
    oFile.writeLine "</TD></TR>" 
    oFile.writeLine "<TR><TD COLSPAN=2><hr width=90%></TD></TR>" 
    oFile.writeLine "</TABLE></BODY></HTML>" 
    msgBox "Done !!!" 
    ' Clean up. 
    Set objRootDSE = Nothing 
    Set objGroup = Nothing 
    Set objConnection = Nothing 
    Set objCommand = Nothing 
    Set objRecordSet = Nothing 
    Function GetType(intType) 
    ' Function to determine group type from the GroupType attribute. 
    If (intType And &h01) <> 0 Then 
    GetType = "Built-in" 
    ElseIf (intType And &h02) <> 0 Then 
    GetType = "Global" 
    ElseIf (intType And &h04) <> 0 Then 
    GetType = "Local" 
    ElseIf (intType And &h08) <> 0 Then 
    GetType = "Universal" 
    End If 
    If (intType And &h80000000) <> 0 Then 
    GetType = GetType & "/Security" 
    GetType = GetType & "/Distribution" 
    End If 
    End Function 
    Sub GetMembers(objADObject) 
    ' Subroutine to document group membership. 
    ' Members can be users or groups. 
    Dim objMember, strType 
    For Each objMember In objADObject.Members 
    If UCase(Left(objMember.objectCategory, 8)) = "CN=GROUP" Then 
    strType = "Group" 
    strType = "User" 
    End If 
    ' OUTPUT 
    oFile.writeLine "<TR>" 
    oFile.writeLine "<TD valign=top>" & objMember.displayName & _ 
    "</TD><TD valign=top>" & objMember.SAMaccountName & _ 
    "</TD><TD valign=top>" & strType & "</TD>" 
    oFile.writeLine "</TR>" 
    ' Wscript.Echo " Member: " & objMember.sAMAccountName & " (" & strType & ")" 
    Set objMember = Nothing 
    End Sub

    Open in new window


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
    As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now