audit file server for individual permissions

Experts,

I have a 2003 Windows file server with about 4TB of production data.  The access department would like to find out whether there is a way to do a search of all files and folders on this server for any files or folders with NTFS permissions assigned to individuals rather than security groups.  In order to meet the security guidelines, all network share NTFS permissions have to be assigned to security groups, but a few shares were discovered today where individuals accounts have been assigned permissions to certain folders.  I'm looking for a reporting tool, which will show us if there are shares that have NTFS permissions assigned to individuals rather than security groups.  Any ideas?

Example of security-compliant folder:
Folder A: System, Administrators, SecurityGroupA
Folder B: System, Administrators, SecurityGroupB

Example of non-compliant folder:
Folder A: System, Administrators, John Smith, SecurityGroupA
Folder B: System, Jolie Smith, Administrators, SecurityGroupB
LVL 2
taki1gostekAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
btanConnect With a Mentor Exec ConsultantCommented:
Sysinternal has a couple of tool that can do the ACL check
a) AccessChk - If you specify a user or group name and path, AccessChk will report the effective permissions for that account; otherwise it will show the effective access for accounts referenced in the security descriptor. In this case, probably has to script it with the interested security  group - understand not as ideal and automated

@ http://technet.microsoft.com/en-us/sysinternals/bb664922

b) AccessEnum or ShareEnum - both GUI based listing not customisable though  
@ http://technet.microsoft.com/en-us/sysinternals/bb897332
@ http://technet.microsoft.com/en-us/sysinternals/bb897442

Actually there is DumpSec from SomarSec, that is designed to dump security settings into a file or on a screen
@ http://www.systemtools.com/somarsoft/?somarsoft.com

Hyena's Disk and File Administration
@ http://www.systemtools.com/hyena/index.html
image @ http://www.systemtools.com/images/shareview.gif

May not have a straight of the self product....
0
 
BtechBCommented:
This might help. I haven't tried it but it look like it does the trick. I have been needing this myself and found this recently.

http://gallery.technet.microsoft.com/scriptcenter/405a12f6-fb57-4078-92fc-ff495f3e98be
0
 
taki1gostekAuthor Commented:
thanks -- but that's not what i'm looking for (I think)... I need to be able to tell it to skip security groups, skip a few users like builtin\administrator, system, etc..  and just show me files & folders with permissions assigned to individual accounts...  actually skipping security groups would probably be enough, but then again if you have to sift through 4 terabytes of data...  
0
 
BtechBConnect With a Mentor Commented:
Take a look at Powershell and Get-ACL command. It will take a little work but with the correct input and output formatting I bet you will get what you want. Here are two useful links.

http://technet.microsoft.com/en-us/library/ee176838.aspx

This thread shows how to do subfolders. It looks like you will need a prepared list.
http://www.scriptinganswers.com/forum2/forum_posts.asp?TID=3128

Sorry this is not a detailed answer but maybe it will put us both on the right track.
0
 
taki1gostekAuthor Commented:
Hyena will visually give me what I'm looking for... Thanks guys!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.