Solved

Report All Share Permissions by User in Windows 2008 AD

Posted on 2010-11-29
4
1,023 Views
Last Modified: 2012-08-13
We have a Microsoft Windows 2008 R2 file server in a Windows 2008 domain.

We serve a large populate and occasionally I am asked "what does Joe User have access to?"

Rather than look at 10,000 folders to figure this out, I'd like a tool to look at 1 server and produce a report of all folders that Joe User can access.

Since file access is based on group membership, the tool would need to query effective permissions -- not just Joe User's account but every group that Joe User belongs to.

Any advice?
0
Comment
Question by:RPPreacher
  • 2
4 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34230438
A few tools that you can try out

dumpsec http://www.systemtools.com/somarsoft/index.html

accessenum  http://www.systemtools.com/somarsoft/index.html and shareenum  http://technet.microsoft.com/en-us/sysinternals/bb897442.aspx

...but I don't think they will give you exactly what you want (i.e. enter name of user and enumerate only what they have access to in the structure.

I'll let you know if I find something else but try those out.

Thanks

Mike
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34230470

It'll be quite hard work for whatever is doing it. It boils down to this:

1. Get the user and all groups the user belongs to
2. Enumerate every Access Control List to see if that user, or any of the groups, is listed

It's not a tremendous amount of work to code something like that, but it is quite a lot of work for whatever is running it. Both in terms of searching a directory tree, and enumerating each ACL.

Chris
0
 
LVL 20

Accepted Solution

by:
RPPreacher earned 0 total points
ID: 34337327
Still looking for a solution.
0
 
LVL 20

Author Closing Comment

by:RPPreacher
ID: 34690186
No useful answers.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now