Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

audit file server for individual permissions

Posted on 2011-02-11
5
Medium Priority
?
1,258 Views
Last Modified: 2012-05-11
Experts,

I have a 2003 Windows file server with about 4TB of production data.  The access department would like to find out whether there is a way to do a search of all files and folders on this server for any files or folders with NTFS permissions assigned to individuals rather than security groups.  In order to meet the security guidelines, all network share NTFS permissions have to be assigned to security groups, but a few shares were discovered today where individuals accounts have been assigned permissions to certain folders.  I'm looking for a reporting tool, which will show us if there are shares that have NTFS permissions assigned to individuals rather than security groups.  Any ideas?

Example of security-compliant folder:
Folder A: System, Administrators, SecurityGroupA
Folder B: System, Administrators, SecurityGroupB

Example of non-compliant folder:
Folder A: System, Administrators, John Smith, SecurityGroupA
Folder B: System, Jolie Smith, Administrators, SecurityGroupB
0
Comment
Question by:taki1gostek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 3

Expert Comment

by:BtechB
ID: 34874062
This might help. I haven't tried it but it look like it does the trick. I have been needing this myself and found this recently.

http://gallery.technet.microsoft.com/scriptcenter/405a12f6-fb57-4078-92fc-ff495f3e98be
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 34874160
thanks -- but that's not what i'm looking for (I think)... I need to be able to tell it to skip security groups, skip a few users like builtin\administrator, system, etc..  and just show me files & folders with permissions assigned to individual accounts...  actually skipping security groups would probably be enough, but then again if you have to sift through 4 terabytes of data...  
0
 
LVL 3

Assisted Solution

by:BtechB
BtechB earned 1000 total points
ID: 34874564
Take a look at Powershell and Get-ACL command. It will take a little work but with the correct input and output formatting I bet you will get what you want. Here are two useful links.

http://technet.microsoft.com/en-us/library/ee176838.aspx

This thread shows how to do subfolders. It looks like you will need a prepared list.
http://www.scriptinganswers.com/forum2/forum_posts.asp?TID=3128

Sorry this is not a detailed answer but maybe it will put us both on the right track.
0
 
LVL 64

Accepted Solution

by:
btan earned 1000 total points
ID: 34877923
Sysinternal has a couple of tool that can do the ACL check
a) AccessChk - If you specify a user or group name and path, AccessChk will report the effective permissions for that account; otherwise it will show the effective access for accounts referenced in the security descriptor. In this case, probably has to script it with the interested security  group - understand not as ideal and automated

@ http://technet.microsoft.com/en-us/sysinternals/bb664922

b) AccessEnum or ShareEnum - both GUI based listing not customisable though  
@ http://technet.microsoft.com/en-us/sysinternals/bb897332
@ http://technet.microsoft.com/en-us/sysinternals/bb897442

Actually there is DumpSec from SomarSec, that is designed to dump security settings into a file or on a screen
@ http://www.systemtools.com/somarsoft/?somarsoft.com

Hyena's Disk and File Administration
@ http://www.systemtools.com/hyena/index.html
image @ http://www.systemtools.com/images/shareview.gif

May not have a straight of the self product....
0
 
LVL 2

Author Closing Comment

by:taki1gostek
ID: 34929055
Hyena will visually give me what I'm looking for... Thanks guys!
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The question appears often enough, how do I transfer my data from my old server to the new server while preserving file shares, share permissions, and NTFS permisions.  Here are my tips for handling such a transfer.
Windows Server 2003 introduced persistent Volume Shadow Copies and made 2003 a must-do upgrade.  Since then, it's been a must-implement feature for all servers doing any kind of file sharing.
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question