Solved

Active Directory Security Group audit

Posted on 2009-04-13
3
338 Views
Last Modified: 2013-12-05
If possible, I would like to run a script or util that would generate a report of what AD Security Groups have access to, etc, etc

We want to consolidate security groups in a 2000 domain but have no idea what each of these Groups is for, what access permissions, and any other info that might be helpful in Doc'ing these AD Security Groups.

MattP
0
Comment
Question by:mmperry
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 24132303
I am afraid that is not  possible since the permissions you are talking about are given per resource and each resource is responsible to maintain its own permission.

Active Directory just handles the authentication part
0
 
LVL 18

Accepted Solution

by:
Americom earned 500 total points
ID: 24135135
Unless your AD Admin has always update the group with description and info indicating what the group is for, otherwise, you would need to find out from all your servers(apps/file/print/web/etc) and see if the AD security groups were used. Most likely some digging will be needed.

You can download ShareEnum utility utility to find out all the shares you have in your domains within a few minutes. Download it from here: http://technet.microsoft.com/en-us/sysinternals/bb897442.aspx
knowing the shares in all your machines would be a good start as it will show you what security groups or users would have granted access etc.

You can use a free tool "SubInACL" from Microsoft:
http://www.microsoft.com/DownLoads/details.aspx?familyid=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en
SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.

http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx
This tool shows you the accesses the user or group you specify has to files, Registry keys or Windows services

or if you want to spend some $ on another product specifically for file server from ScriptLogic:
http://www.scriptlogic.com/products/security-explorer/

Or if you have the more $ to spend, you can get the ESR from ScriptLogic:
http://www.scriptlogic.com/products/enterprisesecurityreporter/
This product is more than just for file/folder permission, it is also to report Active Directory object status etc.
0
 

Author Closing Comment

by:mmperry
ID: 31569604
Thanks
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
List of Active Users in AD 5 60
DESKTOP MONITORING 41 64
DNS Record Manupluation 11 40
Active Directory Replication 1 18
This article runs through the process of deploying a single EXE application selectively to a group of user.
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question