Active Directory Security Group audit

If possible, I would like to run a script or util that would generate a report of what AD Security Groups have access to, etc, etc

We want to consolidate security groups in a 2000 domain but have no idea what each of these Groups is for, what access permissions, and any other info that might be helpful in Doc'ing these AD Security Groups.

MattP
mmperryAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
AmericomConnect With a Mentor Commented:
Unless your AD Admin has always update the group with description and info indicating what the group is for, otherwise, you would need to find out from all your servers(apps/file/print/web/etc) and see if the AD security groups were used. Most likely some digging will be needed.

You can download ShareEnum utility utility to find out all the shares you have in your domains within a few minutes. Download it from here: http://technet.microsoft.com/en-us/sysinternals/bb897442.aspx
knowing the shares in all your machines would be a good start as it will show you what security groups or users would have granted access etc.

You can use a free tool "SubInACL" from Microsoft:
http://www.microsoft.com/DownLoads/details.aspx?familyid=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en
SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.

http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx
This tool shows you the accesses the user or group you specify has to files, Registry keys or Windows services

or if you want to spend some $ on another product specifically for file server from ScriptLogic:
http://www.scriptlogic.com/products/security-explorer/

Or if you have the more $ to spend, you can get the ESR from ScriptLogic:
http://www.scriptlogic.com/products/enterprisesecurityreporter/
This product is more than just for file/folder permission, it is also to report Active Directory object status etc.
0
 
AkhaterCommented:
I am afraid that is not  possible since the permissions you are talking about are given per resource and each resource is responsible to maintain its own permission.

Active Directory just handles the authentication part
0
 
mmperryAuthor Commented:
Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.