Solved

Active Directory Security Group audit

Posted on 2009-04-13
3
339 Views
Last Modified: 2013-12-05
If possible, I would like to run a script or util that would generate a report of what AD Security Groups have access to, etc, etc

We want to consolidate security groups in a 2000 domain but have no idea what each of these Groups is for, what access permissions, and any other info that might be helpful in Doc'ing these AD Security Groups.

MattP
0
Comment
Question by:mmperry
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 24132303
I am afraid that is not  possible since the permissions you are talking about are given per resource and each resource is responsible to maintain its own permission.

Active Directory just handles the authentication part
0
 
LVL 18

Accepted Solution

by:
Americom earned 500 total points
ID: 24135135
Unless your AD Admin has always update the group with description and info indicating what the group is for, otherwise, you would need to find out from all your servers(apps/file/print/web/etc) and see if the AD security groups were used. Most likely some digging will be needed.

You can download ShareEnum utility utility to find out all the shares you have in your domains within a few minutes. Download it from here: http://technet.microsoft.com/en-us/sysinternals/bb897442.aspx
knowing the shares in all your machines would be a good start as it will show you what security groups or users would have granted access etc.

You can use a free tool "SubInACL" from Microsoft:
http://www.microsoft.com/DownLoads/details.aspx?familyid=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en
SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.

http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx
This tool shows you the accesses the user or group you specify has to files, Registry keys or Windows services

or if you want to spend some $ on another product specifically for file server from ScriptLogic:
http://www.scriptlogic.com/products/security-explorer/

Or if you have the more $ to spend, you can get the ESR from ScriptLogic:
http://www.scriptlogic.com/products/enterprisesecurityreporter/
This product is more than just for file/folder permission, it is also to report Active Directory object status etc.
0
 

Author Closing Comment

by:mmperry
ID: 31569604
Thanks
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question