Solved

Is there a way to see the permissions granted to a Security Group on folders and files?

Posted on 2011-03-16
5
318 Views
Last Modified: 2013-12-04
I have Windows SBS 2007, but I believe this question is poignant for most versions of Windows Server.  In the Active Directory Users and Computers (ADUC), you can set up a Security Group (SG).  You can then go to your file system and apply permissions to a folder or file for the new SG.  Folder permissions can then be inherited by subfolders, etc. as desired.

My question is this:  Can I see all the special (maybe not the inherited) permissions granted to a SG on directories and/or files?  For example, I can go into ADUC and look at a SG and see its members, and conversely I can look at a user and see what SGs they belong to.  Along these same lines I can go to a folder in the file system and see what SGs have permissions on that folder.  BUT... can I conversely start at a SG and see what folders/files they can see (at differing levels of control, of course, i.e., Full Control or Read Only, etc.)?  I don't seem to be able to find a native way to get this information.

This is useful for a variety of reasons.  For example, if you have a SG and want to add a new member, but you're not sure if that new member should really see EVERYTHING that the current members can see, so you want to be able to review what that SG can see first before adding a new member to the SG.  Another example is when you are restructuring your file system (folders, etc.) and you want to be sure you know what all the SGs can see so you don't change the access permissions and mess up someone's day.

I think I see that there are third party tools to do this (e.g., AccessEnum), but I have not tried any.  It seems to me this is an obviously necessary piece to managing ADUC and security.  Is it possible to see a summary of a SG's (or person's, for that matter) access to directories and files with the tools that MS provides as part of ADUC or Windows Server??
0
Comment
Question by:EcoAnalysts
5 Comments
 
LVL 39

Accepted Solution

by:
Adam Brown earned 50 total points
ID: 35149690
It's not easilly possible with the tools that MS has with Windows. In great part this is due to the way security is written to files and folders. Security is written as an SID to objects. There is a myriad of objects to which permission is written. AD doesn't keep track of which SIDs are added to which objects (and realistically couldn't without a great deal of overhead, which is why third party utilities are necessary). It's also important to remember that there can be hundreds of thousands of objects to which a user is assigned access. Just reporting on that data is a massive task. It could be possible to create a script that can report on this information, it would take a very long time to run as it would need to read every object on the system.
0
 
LVL 4

Expert Comment

by:bigstyler
ID: 35149799
Hi, you can use this free tool to audit the existing permissions : http://technet.microsoft.com/en-us/sysinternals/bb897332

Otherwise, when you display the properties of a folder, in the security tab/properties, you can choose to view the "effective permissions" of a file or a folder.

0
 
LVL 9

Assisted Solution

by:djpazza
djpazza earned 50 total points
ID: 35149957
0
 
LVL 16

Expert Comment

by:kshays
ID: 35237648
Another one used to be Ecora Auditor Lite.
http://www.brothersoft.com/ecora-auditor-lite-for-vmware-50025.html

Several are out there, haven't tried the solar winds, didn't see it on the list when I d/l the free ones a few months back.  Gonna grab it now.
0
 

Author Comment

by:EcoAnalysts
ID: 35336457
Solarwinds appeals to me most.  Already knew about AccessEnum.  Might also look at Ecora.  Thanks to all who answered so concisely!

Dividing points between acbrown2010, who definitively informed me that it is NOT possible with MS Windows out-of-box tools, and dipazza, who suggested Solarwinds, which I really like.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Add LDAP custom Attribute to Exchange GAL 2010 2 37
How to search SamAccount in AD but filtered by mail? 8 47
Soundcloud.com 4 22
ACTIVE DIRECTORY 18 45
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html) provided 218 attendees with a step-by-step guide for identifying Acti…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question