Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

is there a tool to show what group membership is used for a user to access files folders

Posted on 2011-03-17
5
Medium Priority
?
407 Views
Last Modified: 2013-12-07
I have inherited an AD that has a ton of Security groups defined that are causing the overview of what is used to allow who access to what is very difficult to get to grips with.

Is it possible to query a tool with a file/folder and a username, and have returned the group membership that is used to give access to the file? Even better would be if the tool showed through which following membership access was granted...

The Security groups are sometimes 6-7 memberships deep, and that is not a practicable way of using them to control accessibilty... not in my book anyway.


Apologies if my english gets convoluted, I'm not so good at describing technical issues in english.

Best Regards
Panthom
0
Comment
Question by:Panthom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 3

Expert Comment

by:Rdsterling
ID: 35155429
Using a tools such as called cacls.exe or xacls.exe. They are Windows 2000/2003 resource kit tools. If you run these and add  /? at the end, you'll be given syntax to use with the command.

Cacls link - http://technet.microsoft.com/en-us/library/bb490872.aspx
xacls link - http://tech.cuip.net/logins/docs/Xacls-overview.htm#2
0
 
LVL 3

Expert Comment

by:Rdsterling
ID: 35155446
Another tool is SubInACL.exe.
0
 
LVL 12

Expert Comment

by:Navdeep
ID: 35155479
Hi,

you can use dump sec tool. This will give you which user/group has access on it.

you can install powershell v2 and quest ad command lets tools then you can use
get-acl

and

get-qadmemberof -identity username

this will give you the groupmembership of the user
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 2000 total points
ID: 35155776
You will need a third party utility. The ones mentioned already will give you the security group that has access but you will then need to enumerate all the sub groups and users to see who has access. The quest tools will just give you the users in the groups. Take a look at Security Explorer from script logic, I think this will give you what you are looking for.

http://www.scriptlogic.com/products/security-explorer/
0
 
LVL 1

Expert Comment

by:fswilliams
ID: 35156117
I use the following powershell script to enumerate share perms.

save as some.ps1 then run as some.ps1 \\server\sharename

$error.clear()
$erroractionpreference = "SilentlyContinue"

function GetExplicits ($folders)
{
   foreach ($i in $folders)
   {
   $acllist = get-acl $i.fullname 
   foreach ($x in $acllist.Access)
      {
      If ($x.IsInherited -eq $false)
         {
         Write-Host "$($x.IdentityReference.Value) has $($x.FileSystemRights) on $($i.fullname)"
         $spacing = $true
         }     
      }
   If ($spacing){ Write-Host "";$spacing=$null }
   }
}

If ($args[0]) { } Else {"usage: ./auditperms.ps1 `"`"";break}
$strpath = $args[0]
If (test-path $strpath){ } Else { "bad path!";break }

Write-Host "----------------------------------`nROOT FOLDER EXPLICITS"
$folderslist = Get-Item -path $strpath
GetExplicits $folderslist

Write-Host "----------------------------------`nSUBFOLDER EXPLICITS"
$folderslist = Get-ChildItem -path $strpath -recurse | where  {$_.psIscontainer -eq $true}
GetExplicits $folderslist

Open in new window

0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question