EcoAnalysts
asked on
Is there a way to see the permissions granted to a Security Group on folders and files?
I have Windows SBS 2007, but I believe this question is poignant for most versions of Windows Server. In the Active Directory Users and Computers (ADUC), you can set up a Security Group (SG). You can then go to your file system and apply permissions to a folder or file for the new SG. Folder permissions can then be inherited by subfolders, etc. as desired.
My question is this: Can I see all the special (maybe not the inherited) permissions granted to a SG on directories and/or files? For example, I can go into ADUC and look at a SG and see its members, and conversely I can look at a user and see what SGs they belong to. Along these same lines I can go to a folder in the file system and see what SGs have permissions on that folder. BUT... can I conversely start at a SG and see what folders/files they can see (at differing levels of control, of course, i.e., Full Control or Read Only, etc.)? I don't seem to be able to find a native way to get this information.
This is useful for a variety of reasons. For example, if you have a SG and want to add a new member, but you're not sure if that new member should really see EVERYTHING that the current members can see, so you want to be able to review what that SG can see first before adding a new member to the SG. Another example is when you are restructuring your file system (folders, etc.) and you want to be sure you know what all the SGs can see so you don't change the access permissions and mess up someone's day.
I think I see that there are third party tools to do this (e.g., AccessEnum), but I have not tried any. It seems to me this is an obviously necessary piece to managing ADUC and security. Is it possible to see a summary of a SG's (or person's, for that matter) access to directories and files with the tools that MS provides as part of ADUC or Windows Server??
My question is this: Can I see all the special (maybe not the inherited) permissions granted to a SG on directories and/or files? For example, I can go into ADUC and look at a SG and see its members, and conversely I can look at a user and see what SGs they belong to. Along these same lines I can go to a folder in the file system and see what SGs have permissions on that folder. BUT... can I conversely start at a SG and see what folders/files they can see (at differing levels of control, of course, i.e., Full Control or Read Only, etc.)? I don't seem to be able to find a native way to get this information.
This is useful for a variety of reasons. For example, if you have a SG and want to add a new member, but you're not sure if that new member should really see EVERYTHING that the current members can see, so you want to be able to review what that SG can see first before adding a new member to the SG. Another example is when you are restructuring your file system (folders, etc.) and you want to be sure you know what all the SGs can see so you don't change the access permissions and mess up someone's day.
I think I see that there are third party tools to do this (e.g., AccessEnum), but I have not tried any. It seems to me this is an obviously necessary piece to managing ADUC and security. Is it possible to see a summary of a SG's (or person's, for that matter) access to directories and files with the tools that MS provides as part of ADUC or Windows Server??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Another one used to be Ecora Auditor Lite.
http://www.brothersoft.com/ecora-auditor-lite-for-vmware-50025.html
Several are out there, haven't tried the solar winds, didn't see it on the list when I d/l the free ones a few months back. Gonna grab it now.
http://www.brothersoft.com/ecora-auditor-lite-for-vmware-50025.html
Several are out there, haven't tried the solar winds, didn't see it on the list when I d/l the free ones a few months back. Gonna grab it now.
ASKER
Solarwinds appeals to me most. Already knew about AccessEnum. Might also look at Ecora. Thanks to all who answered so concisely!
Dividing points between acbrown2010, who definitively informed me that it is NOT possible with MS Windows out-of-box tools, and dipazza, who suggested Solarwinds, which I really like.
Dividing points between acbrown2010, who definitively informed me that it is NOT possible with MS Windows out-of-box tools, and dipazza, who suggested Solarwinds, which I really like.
Otherwise, when you display the properties of a folder, in the security tab/properties, you can choose to view the "effective permissions" of a file or a folder.